This article will explain why you need to harden your Windows servers and how you can use templates to make the process a lot easier.
http://www.windowsecurity.com/articles/Hardening-Servers-Security-Templates.html
These are straight from the Defense Information Systems Agency.
From Security Monkey:
Look At All Of These Passwords!
Posted 8/21/2006 by SecurityMonkey (Information Security Investigator)
Comments (61) | Trackbacks (0)If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider’s webmail service, you may not be aware that you’re sending your credentials over the internet in the clear.
Some sites appear to secure your credentials, but they really don’t. Some offer SSL sign-ins, but don’t make them the default. Others don’t even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.
Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!
Let’s look at a couple of great examples of sites that have really awful security design, and see exactly how easy it is to steal credentials if you have access to the wire. These were obtained using nothing more than a linux laptop, a cable modem, ettercap (running ARP spoof and MiM gateway) and a bit of coffee.
I found this at: http://kaosx.net/?q=node/6
Here’s an excert from the site:
Microsoft released private folder recently, which is something that is commonly asked for by users. “How do I create a password protected folder?” Im normally using fileshares off of a samba box and have permissions set so it’s not something I usually think about, but from those less technically inclined (or those that want some simple protection) this might be just the thing you’re looking for.
I know you 1337$@uC3 guys will be like “just use truecrypt” but if you already have a solution, thats great, rock on. I really do like truecrypt and have a partition on my flash drive so I hear you there.
But I digress.
Microsoft describes private folder as
“Microsoft Private Folder 1.0 is a useful tool for you to protect your private data when your friends, colleagues, kids or other people share your PC or account. With this tool, you will get one password protected folder called ‘My Private Folder’ in your account to save your personal files. Download and have your private folder today!
The following hardware and software are required to run Microsoft Private Folder 1.0:
Microsoft Windows XP Home Edition, Professional Edition and Media Center Edition with SP2
Super VGA (800 x 600) or higher-resolution video adapter and monitorPlease note: Microsoft Private Folder 1.0 is provided specifically for genuine Windows customers, and requires genuine Windows validation in order to download. The software is free, and does not come with product support. ”
Personally, I use TrueCrypt since it offers a lot more features than MS Private Folder, but for the avearge home user, this looks like a great piece of software.
THE Visual Guide To Penetration Testing
As posted on one of my favorite blogs, A Day in the Life of an Information Security Investigator
What’s that? You really want a visual guide to penetration testing? Something that covers:
- Enumeration tools (nmap, firewalk, amap, nbtscan, hping, scanrand, sinfp, etc.)
- General Vulnerability Scanning Tools (nessus, typon, NGS Squirrel, MatriXay, SARA)
- Exploit Engine Tools (metasploit, manual SQL injection, etherape, netwox, hijetta)
- Pre-inspection visit steps (EVERYTHING!)
- Password Cracking (JtR, L0pht, Rainbow, pwdump)
- Network Recon (whois, samspade, google, social engineering, dumpster diving, zone transfers)
- Enumeration results steps (what if a certain port IS open?)
- Command line examples of each tool
Something that could be printed out and be your all-in-one guide to penetration testing?
SHAZZAM!
Behold, your wish has been granted.
This is a must see!
Chief
If you’re a UNIX / Linux guy and use vi or vim on a regular basis, this tutorial is for you. There’s no way for one person to know all, or in my case a quarter, of what vi/vim has to offer. I’m ALWAYS learning new things.
This tutorial will definitely show you things you didn’t know about vim.
The author of this tutorial brings up a good point, why take the time to learn a more efficient way to do the task at hand when doing the research to find a more efficient way would take more time than just doing the task? Because the next time you’re faced with this task, you’ll still be stuck doing it the long way. Besides, how else are you going to learn all the cool features of your favorite text editor?
Also, remember this is an advanced tutorial. As the author states, “In this tutorial I assume the reader to have a basic knowledge of vim. Basic features like editing, movement, searching, replacing, opening, saving etc not covered in this tutorial. I’d recommend going through vimtutor for basic understanding of vim.”
Make sure you read the comments since they also contain good pointers and one guy points us to two more great vim resources:
http://www.rayninfo.co.uk/vimtips.html
http://www.moolenaar.net/habits.html
Now on to the tutorial: http://blog.smr.co.in/cgi-bin/index.cgi/blogs/linux/1143567189.html
If you know anything about wireless, you know it’s not secure. I’m not talking about hacking INTO a wireless network, I’m talking about eavesdropping on the other people connected to the same hotspot you’re connected to. OK, maybe YOU don’t like to eavesdrop on everyone else, but I do.
Since I like to eavesdrop, I assume that other people like to eavesdrop, and that bothers me. I don’t want someone knowing my POP3 password, or my AverageAdmins password, or my AIM password (though this article doesn’t cover protecting your AIM password), or any of my forum or other website passwords. I guess I could setup a VPN at my house, but that would require figuring out how (which is probably pretty easy) and more importantly, it would require that the router at the hotspot be programmed to allow vpn traffic through AND it would require my ISP at home to allow VPN connections inbound. Sure you could setup an SSL VPN, but my ISP blocks port 443 inbound.
So, why not SSH to your box at home, do a little port forwarding trickery, and then configure your webbrowser to use your proxy at home? Now all of your web traffic is proxied to your house over an encrypted SSH connection. No more eavesdropping!
It seems that joe over at AdminSpotting.com has written an excellent article on doing just this.
You can find his article here: http://adminspotting.net/howtos/Secure-and-Private-Browsing-with-Squid.html
===============================
Secure and Private Browsing with Squid
Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you’re doing — which is a good thing when you’re doing something personal like checking email over the web or buying something from amazon. But if you’re just doing stuff like reading the daily news or checking movie times, is privacy that important? The ultra-paranoid will give a resounding “yes” to that question while most people will just shrug. I find myself in between those two parties. At home while I’m reading the news, I could care less if the traffic is encrypted or not. However, when I’m at a public wi-fi spot, it does bother me a bit.
Most public areas that allow access to the internet have absolutely no security in place. Need a good eye-opener? Next time you’re at a public hotspot, take a copy of the dsniff tools.
This article will show you a way to protect yourself from something like this — in a way. This article will only show you how to protect your web traffic. If you still decide to talk to your CEO over AIM about some ultra-secret product coming out next week while waiting for your next flight, this won’t save you. Squid can, of course, proxy requests for other applications besides HTTP, but HTTP is all I’ll be covering. Maybe I’ll go over other applictions in another article.
OK, let’s get started. Here’s what we’ll need:
# A server running Squid on some other network.
# A laptop with ssh and port-forwarding support.
What we’re going to do is set up a Squid server somewhere outside the network we’re currently on. Squid will only accept connections from the server itself — no outside connections. Then how do we use it? We’ll create an SSH tunnel into it. Once the tunnel is created, we simply set our webbrowser to use a proxy server with the address of our SSH tunnel. Now any web traffic going out of our laptop to our Squid server will be encrypted.
But what about from the Squid server to the actual webpage? That stuff won’t be encrypted, unfortunately. But hey, atleast we got outside the unprotect LAN securely.
I’ll be using Debian Sarge for the Squid server, but you’re more than welcome to use whatever distro you want. After Squid is installed, the configuration will be the exact same. To install Squid on Debian, just do:
apt-get install squid
The default configuration for Debian (and maybe other distributions too — better check!) is to only allow connections from the localhost. This doesn’t harm anything, so we can leave it as is. However, we still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we’re authenticated it will let us in. We’ll add it right before the “deny all” portion” so it’ll look something like this:
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
http_access allow password
http_access deny all
By default, Squid listens on port 3128. I personally like 8080 better, so we’ll change it with:
http_port 8080
Next we need to set up authentication for Squid. There are a bunch of different authentication methods that come with the Debian package and they can be viewed with:
ls /usr/lib/squid/*auth
We’ll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. Search for the auth_param section in the config and add these lines:
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Next search for this line and uncomment it:
acl password proxy_auth REQUIRED
Now create a pam module called /etc/pam.d/squid that contains:
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
You will need to give this file SUID access so chmod it 4755. Yeah, I know this isn’t the best way to do this but it’s the least complicated. You’re more than welcome to research the other methods on your own.
Squid should be all set and ready to go. Next make sure you have shell access to the server via SSH. It doesn’t matter if you use a password, passphrase, or blank passphrase. To set the tunnel up, run this:
ssh -L 8080:squidhost:8080 username@squidhost
You’ll be asked for authentication and if you’re successful, it’ll look like you’ve logged into the remote box. If you open another window up and type
telnet localhost 8080
You’ll see that you’re now talking to squid on the remote server.
Finally, tell your browser to use the SSH tunnel as a proxy. I won’t go over each individual browser here, but basically it’ll be somewhere in the preferences. For the hostname, just type in localhost and for the port, type in 8080.
Now whenever you browse to a webpage, you’ll be prompted for authentication. Type in your shell account information and you’ll be all set to go. The browser might give a warning about authenticating through plaintext — ignore it. It will be travelling through our SSH tunnel so it will be encrypted.
Congratulations! You may now surf the web without worry of anyone snooping on you. If anyone has any comments, fixes, or ways to improve this method, please let me know!
Mark Russinovich has posted an excellent article covering why you or your users shouldn’t be in the Power Users group.
Like his other posts, Mark shows off his research and even wrote another utility for us!
http://www.sysinternals.com/blog/2006/05/power-in-power-users.html
If you don’t currently monitor your local workstations and servers group policies, you *really* should.
It seems as though I’ve seen this mentioned on numerous blogs recently and when I ran across this howto, I decided I should post it
This article, like a lot of other articles on WindowsSecurity.com, only touch the suface on the issue. It’s up to the reader to dive further into monitoring and auditing your computer’s settings.
Article: Deploying Auditing Settings and Reporting What is Configured
Most of our readers understand how important network and host based security are. We focus a lot of attention and energy on preventative measures to put our networks and systems in a better position to thwart digital attacks. We make sure our firewalls and other access control lists are in tip-top shape. We do our best to keep our end users from installing malware or unapproved software on our desktop PCs. We implement least user access (LUA) policies on our desktops and workstations so we don’t perform common daily operations with escalated privileges. We run virus scanning software locally and at the gateways. But how much focus do we dedicate to the physical security of not just our data centers, but to our entire physical infrastructure (local and remote sites) as a whole? Let’s face it: it’s not the network or PCs we are ultimately securing, its the data that is stored on and transmitted through them. We have everything in place, but have we checked the front doors of the buildings we occupy?
About 6-9 months ago, Chris and I were faced with a very scary situation. One of our managers suspected a possible break-in at an off-site call center. Our call center is located off-site in a shared office complex. There are a number of people who have physical access to the building at all hours of the day and night so the means of access were almost unlimited. Our dilemma was to determine if a break-in had occurred, what our exposure was, and how we could prevent a similar event in the future.
Due to a lack of surveillance equipment at the time, we were unable to determine if a breach had occurred because we were unable do any testing on the alarm during the day because we didn’t want to cause a lot of panic among employees. We did everything we could for more than 6 hours to determine if anything had been compromised physically or digitally. After further testing after hours, thankfully, in our situation, we determined that a breach had not occurred. The locking mechanism on the door had gone bad and was scraping against the metal plate on the door facing. The problem had grown worse over time and had bent the metal on the door facing so that the door wouldn’t even close. Looking at it, you could see how someone could have mistaken it for forced entry.
This post will go over some items to check if you suspect a physical break-in within one of your sites. Of course, this is not all encompassing. I am sure there are many tools one could use to assess a possible break-in to a physical facilty. These are some of the steps that we took to investigate our situation. If you have something to add to this list, please post a comment below.