Desktop and Server Security

DESKTOP AND SERVER SECURITY
• IS YOUR DESKTOP SECURE
• HOW TO SECURE OWN DESKTOP
BY-AROHI MORYA
ATL FOUNDATION,ARA

Introduction
An important issue is how important security is, and how
much are we willing to pay it financial, convenience,
performance and other terms.

Operating Systems
Windows Linux

Windows 7 Desktop Security
 INTRODUCTION
 USER ACCOUNT CONTROL
 INTERNET EXPLORER
 WINDOWS FIREWALL
 LOCAL ADMINISTRATION GROUP
 LOCAL USER
 LOCAL ADMINISTRATION ACCOUNT
 SERVICES
 APPLOCKER
 BIT LOCKER

Introduction
 NORMALLY WINDOWS 7 IS MORE SECURE THAN ITS
PREDECESSORS, IT REMAINS VULNERABLE TO SECURITY
THREATS. IN THIS TIP, STEPS FOR SECURING WINDOWS 7
DESKTOPS.
 YOU WILL HAVE A PERFECT OPPORTUNITY TO SECURE YOUR
WINDOW 7 DESKTOP SECURITY.
 YOU CAN REDUCE HELPDESK CALL, INCREASE PRODUCTIVITY
AND SECURITY.
 I WILL SHOW YOU. HOW TO SECURE OWN DESKTOP STEP TO
STEP . . . . . . . . . .

User account control(uac)
 WINDOWS 7 MAKES IT MUCH EASIER TO DEAL WITH UAC SETTINGS, AND IN FACT
YOU DON’T HAVE TO COMPLETELY DISABLE UAC IF YOU DON’T WANT TO. JUST TYPE
UAC INTO THE START MENU OR CONTROL PANEL SEARCH BOX.
 USER ACCOUNT CONTROL SETTING IS TERM IS NOTIFY THE USER INSTALL AND
REMOVE PROGRAMME.

User Account control setting
 NOTIFICATION SCALE IS SHOW
 UP LEVEL SHOW RISK IS HIGH AND
 LOW LEVEL RISK LOW

Internet Explorer
 INTERNET EXPLORER COMES TO ALL WINDOWS
OPERATING SYSTEMS BUT VERSION IS CHANGE.
 WINDOW 7 PROVIDES SOME AMAZING
SECURITY WHEN WE ARE BROWSING THE
INTERNET EXPLORER.
 PROTECTED MODE IS SECURE YOUR SECURE
OUR SYSTEM BY LEVERAGING THE BENEFITS OF
USER ACCOUNTS CONTROL, PLUS ADDING IN
INTEGRITY CONTROLS AND ISOLATION OF
INTERNET EXPLORER FROM OTHER RUNNING
APPLICATION.

 OPEN THE INTERNET
EXPLORER GO TO SETTING
OPEN DIALOG BOX AND
CLIK INTERNET
OPTION.AND CHECK THE
ALL TAB FOR PRIVATE
SETING AS
GENERAL,SECURITY,PRIVAC
Y
ETC.

 The Windows 7 firewall now gives you the ability to select from three network locations types upon
connecting your computer to a new network.
 Another evolutionary step in the Windows 7 firewall is its support for multiple firewall profiles simultaneously.
 In order for we to centralize, customize, and define more rules for our windows 7 desktops, we can use group
policy.

Local administration group
 TO HELP MAKE OUR COMPUTER MORE SECURE, ADD A USER TO THE
ADMINISTRATORS GROUP ONLY IF IT IS ABSOLUTELY NECESSARY. USERS IN THE
ADMINISTRATORS GROUP HAVE COMPLETE CONTROL OF THE COMPUTER. THEY
CAN SEE EVERYONE'S FILES, CHANGE ANYONE'S PASSWORD, AND INSTALL ANY
SOFTWARE THEY WANT.
 TO CONTROL THIS ,WE CAN USE GROUP POLICY PREFERENCES.

Local user
 LOCAL USER MEAN WINDOW 7 PROVIDED TO MORE USER SAME SYSTEM. THEY HAVE
OWN USER ACCOUNT.
 WINDOWS 7 ALLOWS YOU TO HAVE MULTIPLE USERS SHARING THE SAME
COMPUTER UNDER THEIR OWN INDIVIDUAL ACCOUNTS

Services
 WE DON’T WANT USER RUNNING JUST ANY OLE SERVICE
ON THEIR WINDOWS 7 COMPUTER. THEREFORE WE CAN
ESTABLISH A LIST OF APPROVED AND DENIED SERVICES
USING GROUP POLICY PREFERENCES.
 WINDOWS SERVICES CAN BE CONFIGURED TO START
WHEN THE OPERATING SYSTEM IS STARTED AND RUN IN
THE BACKGROUND AS LONG AS WINDOWS IS RUNNING.
ALTERNATIVELY, THEY CAN BE STARTED MANUALLY OR
BY AN EVENT. WINDOWS NT OPERATING SYSTEMS
INCLUDE NUMEROUS SERVICES WHICH RUN IN CONTEXT
OF THREE USER ACCOUNTS.

AppLocker
 THE SOFTWARE CONFIGURATION OF A TYPICAL
DESKTOP COMPUTER CHANGES FROM ITS DESIRED OR
INITIAL STATE USUALLY FROM THE INSTALLATION
AND EXECUTION OF NON-STANDARD OR
UNAPPROVED SOFTWARE.
 IT MEANS THAT TECHNIQUES ALWAYS NOTIFICATION
ALERT ASKE USER ARE YOU SURE INSTALL
PARTICULAR DATA, APPLICATION ETC.

Bit locker
WINDOWS 7 BITLOCKER™ DRIVE ENCRYPTION IS A DATA PROTECTION FEATURE AVAILABLE IN
WINDOWS® 7 ENTERPRISE AND ULTIMATE FOR CLIENT COMPUTERS AND IN WINDOWS SERVER
2008 R2.
THE TECHNOLOGY IS SIMPLE AND EASY TO CONFIGURE.
SUPPORT FOR NEW FILE SYSTEMS (FAT, FAT32, EXFAT).
SUPPORT FOR REMOVABLE DATA VOLUMES: NOW ANY VOLUME FORMATTED USING A SUPPORTED
FILE SYSTEM CAN BE PROTECTED, WHETHER AN EXTERNAL HARD-DRIVE OR A FLASH STICK.
NEW KEY PROTECTORS: A PASSWORD OR A SMARTCARD CAN NOW BE USED TO PROTECT DATA
VOLUMES.
NEW RECOVERY MECHANISM: A PUBLIC-KEY-BASED KEY-PROTECTOR CAN NOW BE USED BY
ENTERPRISE-DESIGNATED DATA RECOVERY AGENTS (DRA) TO TRANSPARENTLY PROTECT ALL
VOLUMES AND RECOVER THEM WITHOUT THE NEED OF A RECOVERY KEY OR RECOVERY
PASSWORD.

Local Right And Privileges0
 LOCAL RIGHT THESE ARE PER COMPUTER
CONFIGURATIONS THAT CONTROL WHAT A USER CAN
DO TO A COMPUTER.
 PERMISSION IS WHAT YOU CONFIGURE FOR
RESOURCE ACCESS. A RESOURCE IS A FILE, FOLDER,
REGISTRY, KEY, PRINTER, OR ACTIVE DIRECTORY
OBJECT. PERMISSION DEFINE WHO CAN DO WHAT TO
A RESOURCE.
 PERMISSION’S EXAMPLE ARE READ, MODIFY, DELETE,
ETC.

What is Registry
 REGISTRY MEAN NOTE PARTICULAR NAME OR ANYTHING,
THAT KNOWN AS GENERAL WAYS REGISTERED BUT IN
COMPUTER KNOWN AS ALL DATABASE THAT STORE
CONFIGURE SETTINGS AND OPTIONS ON MICROSOFT
WIDOWS OPERATING SYSTEMS. MICROSOFT WINDOWS
FIRST INTRODUCED IN WINDOWS 3.1.
 YES THAT CAN USE DESKTOP SECURE BY REGISTRY EDITING.

Registry Structure
 THE REGISTRY HAVE TWO BASIC ELEMENTS…
1. KEYS
2. VALUES
 AND ALSO HAVE FIVE CLASSES
1. HKEY CLASSES ROOT
2. HKEY CURRENT USER
3. HKEY LOCAL MACHINE
4. HKEY USERS
5. HKEY CURRENT CONFIG

Registry Editing
 The registry is edited by manually. Manually mean current user as administration or guest user.
 For open windows key +R key and type “regedit” and enter registry editor is open.
 Registry Editor is a tool intended for advanced users. It's used to view and change settings in the
system registry, which contains information about how your computer runs.

I followed the rules. Here are my five rules for safer Registry editing:
1.The ironclad rule of Registry editing is that you must first back up the Registry. For many, making a
System Restore point is the most convenient backup method. I also use the export facility of Regedit
to make a copy of the Registry key that I am working on. Keep in mind that Regedit has no Undo
function.
2. Know how to restore a Registry backup. It can be as simple as running System Restore or merging
a backup REG file.
3. Make only one Registry edit at a time. Wait to see if everything works the way you want before
making any more changes to the Registry. Don't forget that many Registry edits require that you log
off or reboot before they take effect.
4. Only use Registry edits recommended by known reliable sources. Many of the common
recommendations on the Internet are useless or nearly so. And some are even harmful.
5. Remember Rule #1.
RULES FOR EDITING THE REGISTRY SAFELY

Root keys or Hives
Keys Abbreviation Description
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKCR
HKCU
HKLM
HKU
HKCC
Stores file association and COM object registration
Stores data associated with the account currently logged on
Stores system-related information
Stores information about all the accounts on the machine
Stores information about the current machine profile

REGISTRY FILES
 THE REGISTRY
EDITOR ON
WINDOW ON
THESE SYSTEMS
ALSO SOPPORTS
EXPORTING.REG
FILES ON
WINDOWS 9X/NT
FORMAT.DATA IS
STORED IN .REG
FILES.
 [HKEY LOCAL
MACHINESOFTW
AREMICROSOFT]

PROTECTING THE REGISTRY
 ALL THE INITIALIZATION AND CONFIGURATION INFROMATION USED BY
WINDOW IS STORED IN THE REGISTRY.NORMALLY, THE KEYS IN THE
REGISTRYKK ARE CHANGED INDIRECRLY, THROUGH THE ADMINISTRATIVE
TOOLS SUCH AS THE CONTROL PANEL.
 THE SECURITY PERMISSIONS SET ON THIS KEY DEFINE WHICH USERS OR
GROUPS CAN CONNECT TO THE SYSTEM FOR REMOTE REGISTRY ACCESS.
HIVE: HKEY_LOCAL_MACHINE
KEY: CurrentcontrolSetControlSecurePipeServers
NAME: winreg

 GROUP POLICY IS A HIERARCHICAL INFRASTRUCTURE THAT ALLOWS A NETWORK
ADMINISTRATOR IN CHARGE OF MICROSOFT'S ACTIVE DIRECTORY TO IMPLEMENT
SPECIFIC CONFIGURATIONS FOR USERS AND COMPUTERS. GROUP POLICY CAN ALSO
BE USED TO DEFINE USER, SECURITY AND NETWORKING POLICIES AT THE MACHINE
LEVEL.
 THE GROUP POLICY IS A TOOL USED TO ASSIGN POLICIES TO A SYSTEM. GROUP
POLICIES ARE DESIGNED TO APPLY POLICY SETTINGS TO A WIDE VARIETY OF TASKS.
 WINDOWS 2000 AND LATER VERSIONS OF WINDOWS USE GROUP POLICY TO
ENFORCE REGISTRY SETTINGS. POLICY MAY APPLIED LOCALLY TO A SINGLE
COMPUTER USING GPEDIT.MSC OR TO MULTIPLE COMPUTERS IN A DOMAIN USING
GPMC.MSC.
 FOR OPEN GPE GO TO RUN DIALOGUE BOX AND TYPE GPEDIT.MSC

Using Group policy editor
 Notice that the local security policy is divided into Computer Configuration and User Configuration. The
Desktop configuration portion of the local security policy can be found by navigating through the console
to User Configuration.

Create Registry Value
 STEP 1-FIRST OPEN REGISTRY
EDITORS, GO TO RUN TYPE
REGEDIT AND OK
 STEP 2- THEN CREATE VALUE
PRESSING RIGHT CLICK ON LEFT
HAND SIDE WINDOW IT MAY BE
DWORD VALUE STRING VALUE
ETC DEPENDING UPON THE
REGISTRY CONFIGURATION
AND THEIR PATH.

Windows 8 introduction & security
Windows 8 is newest family of Microsoft windows family and windows 8.1 is updated features including
some new feature e.g.-start menu etc
Why windows 8 or 8.1
 This version built by Microsoft for broad access as laptop, pcs, tablet pcs and mobile phones using
modern technology at home.
 Provide the experience and devices that users love and expect.
 Deliver enterprises-grade solutions that we can use to manage and secure them.
Windows 8 also offers enterprises grade solution
 Enhance to end-to-end security
 Management and virtualization advancements windows 8 includes
And windows 8 have fast boot and shutdown feature from later Microsoft windows family

Similarities windows 7 and windows 8
Windows 8 is just an improvement of windows 7 features. But still
there exists some points that are common in both & they are:
 Windows 8 is use the same management tools that we already
use to support Windows 7 in our organization.
 In windows 7 you can quickly run apps by pressing the windows
logo key, typing the name of the app and pressing Enter. we
can do the same windows 8
 In windows 8 we swipe in from the top edge of the screen to
display app commands by simply right click with the mouse.
 Windows 8 is definitely more secure than Windows 7. An integrated
antivirus and application reputation system, along with a tamed app
ecosystem that replaces the wild-west nature of previous versions of
Windows, will probably make the most difference for inexperienced
users that may not have ran an antivirus or knew which applications
were safe to install on previous versions of Windows. Low-level
improvements to the way Windows manages memory will help
everyone, even power users.

New features of windows 8 or 8.1
 Windows 8 is focused on users
 Windows is focused very heavily on a new, tiled, touch-centric interface for
tablet

End to end Security
 Windows 8 have secure booting system because some malware
programs target the boot process and insert.
 Measure boot on Trusted Platform Module(TPM) based systems.
 Bit locker Drive Encryptions-It is a data protection feature in
windows 8 pro and windows 8 enterprises editions that helps
protect data theft from lost, stolen or inappropriately
decommissioned computers.
 AppLocker-It is a simple and flexible mechanism that allows our
specify exactly which apps are allowed to run users pcs.
 Windows Smart Screen-Its app reputation is safety feature in
windows 8 or 8.1
 Claim Based access control-this control is enables you to set up
and manage usage polices for files folders, and shared
resources.

Hardware Recommendations
Windows 8 or 8.1
If you want to run Windows 8.1 on your PC, here's what it takes:
Processor: 1 gigahertz (GHz)* or faster with support for PAE, NX, and SSE2 (more info)
RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
If we're running Windows 8 we can get a free update to Windows 8.1. Just tap or click
the Windows Store tile on your Start screen. Once we've moved up to Windows 8.1 we
should get the update automatically. If you don't, follow these steps to get it
manually using Windows Update.

Hardware Innovation
Touch
Touch is clearly front and centre for Microsoft
1. The response times required for touch
2. The sensitivity and precision required of digitizer
3. The user experience of flush bezel
Long battery life
One of the key design tenant of Windows 8 or 8.1 is enable to long life battery
Sensor and security
With windows 8 or 8.1 will enables developers to take advantage of hardware
innovation such as
1. Low power Bluetooth
2. Gps
3. Gyroscopes
4. accelerometer
We will also be able to take advantage of security hardware technology like
Trusted Platform Module(TPM) and Unified Extensible Interface(UEFI) boot.

Windows 8 Security
Protecting the client against threats
Boot options for security
Smart screen
Vulnerability mitigation and
sandboxing
Protecting sensitive data
 secure access to resources

Protecting the client against threats
 Microsoft actually introduced a few great features in its new
operating system, some of which will help keep you safer from
malware and other security threats.
 To take full advantage of Windows 8’s new security features, your PC
needs to run a new kind of boot system called Unified Extensible
Firmware Interface (UEFI). This system, which replaces the archaic
Basic Input/output System (BIOS), adds many new boot features and
greatly speeds the start-up process.

Boot options for security
Measured Boot
The biggest challenge with rootkits and bootkits on earlier versions of
Windows is that they can be undetectable to the client. Because they
start before antimalware and they have system-level privileges, they can
completely disguise themselves while continuing to access system
resources. As a result, PCs infected with rootkits appear to be healthy,
even with antimalware running.
Secure Boot
When a PC starts, it starts the process of loading the operating system by
locating the bootloader on the PC’s hard drive. If a PC doesn’t support
Secure Boot (as is the case with most PCs released prior to Windows 8),
the PC simply hands control over to the bootloader, without even
determining whether it is a trusted operating system or malware.
On new Windows 8 computers that use the UEFI firmware instead of the
old-style BIOS, Secure Boot guarantees that only specially signed and
approved software can run at boot. On current computers, malware
could install a malicious boot loader that loads before the Windows boot
loader, starting a boot-level rootkit (or “bootkit”) before Windows even
launches. The rootkit could then hide itself from Windows and antivirus
software, pulling the strings in the background.

Smart screen check application reputation.
Smart screen gives broader protection
When we install new app then automatic activate and remember are you secure
Smart screen

Vulnerability mitigation and sandboxing
 Windows 8 has improved address space layout
randomization (ASLR) data execution prevention
(DEP) both of which make exploiting vulnerabilities
more difficulty.
 The combination DEP and ASLR in windows 8 increase
the amount of effort required by an attacker to
develop and be successful with an exploit.

Protecting sensitive data
Where users travel, so does their organization’s confidential data. Since Windows Vista, BitLocker has provided full
drive encryption capable of protecting both confidential data and system integrity. Windows 8 improves BitLocker
by making it easy and faster to deploy, more convenient, and more manageable.
Table 2 lists specific data-protection challenges in Windows 7 and the Windows 8 solution.
Table 2. Windows 8 solutions to Windows 7 data-protection challenges
Windows 7 challenge Windows 8 challenge
When BitLocker is used with a PIN to protect start-up, PCs such as servers and kiosks cannot be restarted
remotely.
Network Unlock allows PCs to start automatically when connected to the internal network.
Users must contact IT to change their BitLocker PIN or password. Windows 8 allows users with standard privileges to change their BitLocker PIN or password.
Enabling BitLocker can make the provisioning process take several hours. BitLocker preprovisioning and Used Space Only encryption allow BitLocker to be quickly enabled on new
computers.
No support for using BitLocker with Self-Encrypting Drives (SEDs). BitLocker supports offloading encryption to encrypted hard drives.
Administrators have to use separate tools to manage encrypted hard drives. BitLocker supports encrypted hard drives with onboard encryption hardware built in, allowing administrators
to use the familiar BitLocker administrative tools to manage them.
Encrypting a new flash drive can take more than 20 minutes. BitLocker To Go’s Used Space Only encryption allows users to encrypt drives in seconds.
BitLocker could require users to enter a recovery key when system configuration changes occur. BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the user loses
their PIN or password.

secure access to resources
 Pervasive Internet access and the latest generation of
lightweight tablets and Ultrabook devices have changed the
way users work. They are not sitting at a desk with a mouse
and keyboard anymore; they are using touch interfaces,
travelling around the world, and working from untrusted
networks. Let’s explore the different ways Windows 8 meets
these modern work styles.
 Virtual smart cards enables two factor authentication in a
cost-effective manner.
 Dynamic Access Control enables granular and complex
resource protection throughout an enterprises.

LINUX SECURITY
I N T R O D U C T I O N & S E C U R I T Y

O V E R V I E W
 A D VA N TA G E L I N U X
 T H R E AT S TO L I N U X M A C H I N E S .
 S E C U R I N G L I N U X B E T T E R .
 H O W TO S E C U R E L I N U X

LINUX KERNEL
 The kernel is the central nervous system of Linux,
include OS code which runs the whole computer. It
provides resources to all other programs that you run
under Linux, and manages all other programs as they
run.
 The kernel includes the code that performs certain
specialized tasks, including TCP/IP networking.
 The kernel design is modular, so that the actual OS
code is very small to be able to load when it needs,
and then free the memory afterwards, thus the kernel
remains small and fast and highly extensible

LINUX NETWORKING
 Networking comes naturally to Linux. In a real sense, Linux is
a product of the Internet or World Wide Web (www).
 Linux is made for networking. Probably all networking
protocols in use on the Internet are native to Unix and/or
Linux. A large part of the Web is running on Linux boxes,
e.g. : AOL

ENCRYPTION
 Encryption commonly used to secure data. It is the ancient technique of
hiding information in plain sight. Include:
 Strong encryption - is stronger than the 40-bit encryption maximum
that can be exported from the United States under U.S. law.
 Public-key Encryption - is a type of asymmetric encryption, which is a
system that you encrypt your message with one key, and the recipient
decrypts it with a mathematically related, but different key.

THE SECURE SHELL(SSH)
 The ssh and its tools use strong encryption to allow remotely
located systems to exchange data securely.
 By using strong encryption, ssh significantly enhances the
security of both the authentication process and the session
itself.

ADVANTAGE OF LINUX
User vs. administrator
Only root can install software or change system
settings.
More difficult for viruses to spread.
Commands, utilities, even the desktop run
separately from the Kernel.
Security updates are easier, quicker to deploy.

THREATS TO LINUX MACHINES
 Reasons for Break-in.
 Loose Passwords
 Improper Permissions
 Careless Security
 Unwanted Vulnerable Services
 Brute force password attacks
 Buffer overflows in network services.
 int main () {int buffer[10]; buffer[20]=10;}
 Aim: overwrite some control information to change the flow of control in
the program.

SECURING LINUX BETTER
1. Secure the console
2. Set good passwords
3. Set right permissions
4. Secure the network connection
5. Restrict Access
6. Iptables
7. Firewalls, Ports & Services
8. Handling / Restricting Services
9. Adding security to desktop
10. Keep the system up to date

SECURING THE CONSOLE
Physical Security
Password protect the screensaver.
Set a password on the boot loader (lilo / grub).
Use xlock or xautolock while away.
Do NOT normally login as root in own machine.
Set BIOS Password.
Machine in safe location.
Set boot hierarchy to HDD first (not CD,HDD).
Restrict Remote access.
Set up an idle timeout, to logout idle users.

PASSWORDS
Use strong, unique passwords (especially for root)
Must have a minimum length of 8 characters.
Must be alpha-numeric not based on dictionary words.
Password must be changed every 30 days.
Account will be locked out after 3 consecutive unsuccessful
login attempts.
Don’t write down passwords or User-id & password.
Passwords must contain multiple characters (Lower / Upper
Case, numbers, punctuation etc.)
Root password should be very hard to crack.

PERMISSIONS
Correct permissions & ownerships on all directories & files.
Never make files world-writable / world readable.
Search for world-writable files in pwd
find . -perm -2 -print
Improper file permissions in /dev : read/write directly to hardware like hard
disks and network interfaces.
/dev files should only be writable by root & readable only by their group
Exception : /dev/tty, /dev/pty, /dev/null, /dev/zero.
find /dev -perm -2 -print
chmod -R 700 /etc/rc.d/init.d/*
Lock the /etc/services file so that no one can modify it

SECURE THE NETWORK
Remove all unwanted users and groups.
Enable nospoof option in /etc/host.conf.
Don't create /etc/hosts.equiv or a .rhosts file
Don't run rlogind or rshd. (pw in plain text)
Run sshd to allow remote access via SSH
Use TCP Wrappers “tcpd”
Use /etc/hosts.deny & /etc/hosts.allow
hosts.allow overrides hosts.deny
Disable unwanted services thru xinetd.conf also
Ref: man hosts_access

MORE OF /ETC/ACCESS.[ALLOW|DENY]
/etc/hosts.deny
Only Local host allowed access
ALL:ALL
/etc/hosts.allow
sshd: ALL
ALL: .tifr.res.in EXCEPT xyz.tifr.res.in
Allow localhost
ALL : 127.0.0.1
Allow another m/c to connect to any service
ALL : 192.168.1.2
Let all ssh except 192.168.1.3 and 192.168.1.4
sshd: ALL EXCEPT 192.168.1.3, 192.168.1.4

FIREWALLS
 Hardware firewall - A device between Internet & LAN.
 Software firewall: Software on a desktop/server that rejects
certain types of network traffic.
 Consider implementing a firewall. man iptables
 Restrict n/w traffic to a machine or network segment.
 Improves security and network performance.
 Why do I need a software firewall?
 Protects the m/c even if the h/w firewall is compromised.
 Protects the m/c against compromised m/c s on n/w.
 When can't one use a firewall?
 Some services (like Samba) may use unspecified ports.
 Some applications want to use arbitrary ports.

IPTABLES
System Settings > Security Level
System Settings > Server Settings > Services
Activate iptables in runlevels 3 & 5
Chains: INPUT, OUTPUT,FORWARD.
Effects : ACCEPT, DENY, DROP
List all iptables rules
# iptables –L
# iptables -A INPUT -s <SIP> -j DROP
# iptables -D <Chain name> <Rule no>

IPTABLES (CONTD…)
 Drop all incoming telnet packets
# iptables -A INPUT -j DROP -p tcp --destination-port
telnet
 Block any incoming tcp packets on 2nd Eth card (eth1)
# iptables -A INPUT -j DROP -p tcp -i eth1
 Drop incoming sync ie. anything not initiated by our PC
# iptables -A INPUT -p tcp --syn -j DROP
 Block by mac address
iptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j
DROP
 Ref:

PORTS
What are ports?
Network connection analogous to a lan highway.
Each type of traffic needs to be in its own lan
A port is analogous to a lane on the highway; different types of
traffic (http, ftp, ssh, etc.) use different ports (80,21,22 etc)
What ports need to be open?
Open the ports for services you need to use and/or offer others.
SSH (remote access to your machine): 22
FTP (file sharing server): 21
Web server: 80
X (display graphics on remote machines): 6000
See /etc/services for an exhaustive list.
Close unused ports/terminate unwanted services.

SERVICES / DAEMONS
Services :
Special applications that start before any login
Web server (httpd or Apache)
File services (samba, NFS, ftpd)
Print services (lpd, CUPS)
Remote access (telnetd, sshd, vncserver)
Management tools (crond, rhnsd)
Why can services be dangerous?
Many services offer themselves to local & remote m/c s
If a flaw exists in the program providing the service, an attacker can exploit
this flaw and break into the machine
RULE: don't run any services you don't need.
RULE: if you're running a service, restrict access possible.

ADDING SECURITY TO DESKTOP
 NIS maintains and distributes files such as /etc/group, /etc/password, and
/etc/hosts
 NIS’s very nature of “easy information access” makes it tasty hacker bait
 A late replacement is NIS+
 Access to NFS volumes is granted by /etc/exports
 This is a weak form of security because the server trusts the clients to tell it
who they are
 It is easy to make clients lie about their identities
 The TCP wrappers package can help limit the hosts that can access NFS
filesystems (through /etc/hosts.deny)

METRICS
 Elements of an overall severity metric
Damaged potential of any given discovered security vulnerability is a
measurement of the potential harm done.
 Overall severity metric and interaction between the three key
metrics.
Our security analyst informs that we are the CIO for a business based on a web
ecommerce site.
 The exception of rule
The exploitation potential is an exception to this rule, anonymous malicious
hackers with only mediocre programing skills can spend week months
developing a program to exploit a security hole with little or no risk of
getting caught.
 Applying the overall severity metric
Suppose one operating system has far more security alerts than another.

MICROSOFT WINDOWS VS LINUX
Both offer some of the graphics capabilities and include some
networking capabilities. But Linux networking is excellent.
Linux is multi-user, multi-tasking, but Microsoft Windows
doesn’t support it.
Viruses, Trojans and other malware make it onto Window
desktop for a
Familiar to window and foreign to linux

Desktop and Server Security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Desktop and Server Security (20)

Recently uploaded (20)

Desktop and Server Security