Hardening
LOCKING DOWN THE OPERATING SYSTEM
Rather than requiring a system administrator to manually harden an operating system, organizations now offer products such as those listed in Table 4.5 that attempt to provide an extra level of protection to the operating system. These products often work by disabling or locking down all administrative-level services, which can then only be accessed using a secure password administered by the protecting product.
Table 4.5: Sample List of Operating System Protection Tools
NAME ASSOCIATED WEB SITE
Bastille Linux www.bastille-linux.org
EnGarde www.engardelinux.org IISLockdown www.microsoft.com
Immunix www.immunix.org ServerLock www.watchguard.com
Table 4.6 is a generic list of tests that can be used to form the basis of a system software- hardening checklist, while Allen (2001) outlines processes for hardening several different platforms.
Table 4.6: System Software Hardening Checklist YES NO DESCRIPTION
□ □ Have vendor- and industry-recommended hardening customizations been researched and documented for each system software product that is or will be used by the Web site?
□ □ Have all the procedures used to harden each system software product been documented?
□ □ Have all the documented system software hardening procedures been implemented on every affected machine?
Masking
The more information an intruder can obtain about the brand, version, and installation options of any system software product installed upon the Web site (such as what brand and version of operating system is being used by the Web server), the easier it will be for the intruder to exploit any known security holes for this particular version of the product. For instance, buffer overflow attacks (discussed in more detail in Chapter 6) are typically operating system and architecture specific (for example, a buffer overflow attack that works on an NT/Alpha platform is unlikely to work on a NT/Intel or UNIX/Alpha platform). Therefore, to exploit this kind of attack, the operating system and hardware platform must first be deduced or guessed. Additionally, when designing new exploits, authors often need to recreate an equivalent system software and hardware architecture environment in order to compile and/or test their newly discovered exploit(s).
Given the usefulness of knowing this kind of information, it makes sense that an organization would want to minimize this knowledge. Unfortunately, many products give up this kind of information all too easily. For instance, much of this information can be obtained via hello (banner) or error messages that the product sends by default when somebody tries to initiate a connection with it. Intruders trying to deduce the brand and version of a product will often use a technique called banner grabbing to trick a machine into sending information that uniquely identifies the brand and version of the products being used by the Web site. To reduce this information leakage, many organizations choose to mask their Web sites, replacing these helpful default messages with legal warnings, blank or uninformative messages, or false banners that match the default response from a completely different brand of system software and therefore hopefully cause an intruder to waste his time using an ineffective set of exploits.
A security tester shouldn't have to rely on manual efforts (such as the ones illustrated in the "Banner Grabbing" sidebar). Rather, several tools now exist that will attempt to identify (fingerprint) a target by running a series of probes. Some even offer features designed to make this activity less likely to be noticed by any intrusion-detection system (IDS) that might be installed on the target Web site and tip off an organization that its Web site was being fingerprinted (also known as enumerated). Table 4.7 lists some sample fingerprinting tools and services, while Scambray 2001 provides more detailed information on the techniques used by intruders to fingerprint a target, and Klevinsky (2002) provides guidance on how to use many of the fingerprinting tools used by penetration testers and intruders alike.
Table 4.7: Sample List of Fingerprinting Tools and Services
NAME ASSOCIATED WEB SITE
Cerberus Internet Scanner www.cerberus-infosec.co.uk
Cheops www.marko.net HackerShield www.bindview.com Netcat www.atstake.com Nmap www.insecure.org
Super Scan/Fscan www.foundstone.com
What's That Site Running? www.netcraft.com
Unfortunately, it's not always possible to completely mask the identify of an operating system due to the Transmission Control Protocol/Internet Protocol (TCP/IP) being implemented slightly differently by various operating system vendors. For example, TCP features and packet sequence numbering may differ among vendors. However, many novice attackers and some fingerprinting tools may still be fooled or at least delayed by a false banner.
Table 4.8: System Software Masking Checklist YES NO DESCRIPTION
□ □ Is there a documented policy in place that describes under what circumstances a default banner should be replaced with a blank legal warning or false banner?
□ □ If a legal warning is to be used, has it been approved by the legal department?
□ □ Have all the banner modifications deemed necessary by the policy been implemented on every affected machine?
□ □ If false banners are to be used, are they deceptive enough to trick a significant number of automated probing tools?