Social engineering methods and means for obtaining information have been around for ages.
They seem like simple requests or benign coordinated events, but the truth is that social engineering often exploits your most valuable asset. Your users. A compromised user can then be used to wreak havoc or throw deeper hooks into the targeted network. Most network hacks are incremental in nature with an attack vector that often times leads to a compromised user, admin, or super user.
The easiest way to penetrate, hack, or otherwise take-over a network is to start with the company directory.
The simple example of a social engineering attack might be… ring ring, “hello, this is Joe with the helpdesk. I am working on xyz what is your password?” Social engineering methods are still the most prolific way for attackers to get deep within a network and allow attackers to simply go under the radar while they wreak havoc or steal sensitive data.
A recent spear fishing attack on a US aerospace company leveraged the company directory and intricate email spoofing. The attacker started a conversation from an email that looked like aerospacecompany.com’s email domain. In other words the attacker had the name of a person in the organization with a valid email address and job title, and then registered aerospacecompanyUS.com, a similar looking email domain, to send users targeted malware. They used the company directory and email domain to go deep and got a susceptible IT staff member to open a link and unknowingly involved in the attack. Ultimately the attacker was able to get admin access to critical systems on the network.
It is important to maintain a user awareness and training posture for your organization. Users and stakeholders need to be constantly reminded of internet and email etiquette as well as not to click on un-trusted links. Your network cannot rely solely on technical measures to keep bad people out. Even with anti-virus, anti-malware, updated browsers, and pop-up blockers a social engineering attack takes people and awareness to thwart.
The location and physical security of a server system is one of the first things to consider when putting a system online. Your needs may not dictate that your server be in a secure Tier 4 co-location facility, but your servers may need to be at least in a locked and controlled access room in the back corner of your office suite. The bottom line is that you can’t certify a system secure if it is in common access kitchen that you share with 4 other businesses.
Many IT departments have a safe place that they put the core of their network in. Reliable power and cooling are needed to keep your systems running 24 hours a day 7 days a week. If you are able to co-locate your servers with a service provider then make sure that you have the physical access that you need in case of emergency and after hours needs. Service level agreements with your provider will help ensure that you get the help you need and that when something happens your organization is not left holding the bag.
Environmental concerns should be considered such as flooding and fire protection. Hardware should be placed off the floor to prevent susceptibility to local water pipe flooding. If you can place equipment higher than that, then you are even better off. In 1997 one of the facilities that we were working at had a water main break in the back of the building. Although the water main break was 10 feet below the ground, the water pressure created a large hole, compromised the concrete foundation of the building and mud and water poured into the rest of the building. When workers arrived the next morning they found 6 inches of mud and muck throughout the building. Though there was severe damage to the facility most critical equipment was spared simply because it was elevated off the ground.
Users desktops should also be elevated off the ground for the same reason. Telecom equipment in data closets is typically wall mounted on back boards and should also be positioned at comfortable working heights well off the ground.
Windows Server has new security features, best practice wizards, and sleeker interfaces to enhance the security posture of the operating system installation. Windows Server has a major install base and is relevant to cover for server hardening. Most settings are similar and familiar between the different Windows desktop and server versions.
It should be noted that many of the advanced network management and security features require an Active Directory implementation to fully leverage. As with any corporate network the security is the sum of its parts and we focus here on ensuring that Windows Server systems are properly installed and configured.
Microsoft Server uses Server Manager roles and features to configure and install server components. To open the server manager goto ->Administrative Tools->Server Manager.
Figure 1: Computer Management Interface, all Windows
Figure 2: Server Manager for Microsoft Windows Servers
Microsoft Server Manager gives you a good snapshot of the configured features of your server. You can see firewall settings, registration information, roles installed, and Windows Server features that are installed and enabled. By default a Windows server installation leaves much of this configuration for post-installation tasks.
You can also use the Programs and Features control panel applet to list installed applications. In Windows you can use the Task Manager to view running processes, their paths, and system utilization.
Process explorer is a Sysinternal tool now owned and supported by Microsoft. Process Explorer allows you to see processes and their perspective process trees and dependencies.
Figure 3: Sysinternal Process Explorer showing running processes.
To show disk space and utilization and to manage any disk volumes use the Disk Management feature in the Server Manager.
Figure 4: Windows Server Disk Management view in Computer Management application.
To see startup processes there are several places to check. The msconfig utility is a good place to start. This application gives you the running and startup services all in one convenient place.
Figure 5: Msconfig application showing services and status.
The windows registry contains many settings and startup options as well. Using the regedit application you can check the following registry key for tasks that are set to run when windows starts.
Also, the startup program menu is a good place to look for tasks that may run once a user is logged into the system. Often times malware is started via this startup option out of a users profile directory. Be sure to check both the All Users startup folder and the startup folder in each user profile directory.
Utilize the Windows update application to configure system updates if you do not have an enterprise patch management system. From within the Windows Update applet you can set when your system runs updates and reboot behavior. Many server systems should be manually updated, tested, and restarted during maintenance windows.
Figure 6: Un-configured Windows updates interface for Legacy Windows Operating Systems
Figure 7: Use gpedit to override Windows 10 and Server settings by Microsoft.
Ensure that system time is correct and synchronized to a reliable time source
To setup time synchronization use the system clock or the control panel applet for Date and Time. The Internet Time tab allows you to configure a time source.
Figure 8: Windows interface for setting time server source
You can also utilize the w32tm command line options to configure the Windows Time Service. If your system is on a Windows Domain, time synchronization is important for local maintenance and system tasks. Domain computers will sync to your designated domain controllers which should be synchronized to a reliable external time source. All computer clocks vary slightly and you may notice time drift more on older systems due to low CMOS battery voltage.
To fine tune time synchronization and server settings look at the registry keys under:
From within these registry settings you can edit polling intervals, time sources, and fine tune your time variance and correction behaviors.
Log file maintenance and configuration
Windows log files should be configured properly. Log files are the first place to look when you suspect odd system behavior. Properly configured log files should be setup so that they do not overwrite themselves as this is one method that an attacker might cover their tracks. If possible archive log files and copy them off to another location to prevent log file tampering.
Various third party log management tools are available, but the build in Windows interface allows easy filtering and management of basic log file tasks. You can also use the built in subscription and log file collection services to centralize and copy off log files.
Figure 9: Configuration dialog to change the log file path, size, and overwrite settings. Note: Archive the log file as a minimum.
Lock down file system security, permissions, and Group Policies
Windows utilizes the NTFS file system which allows for granular file permissions based on access control lists. Server 2012 now includes another layer of access control via Dynamic Access Control technology. To edit the NTFS permissions and audit settings for files and directories right click the file or directory and goto Properties. Then under the security tab you can open Advanced Settings to see the following applet.
Figure 10: NTFS Access Control List for wwwroot directory
Note that in order for file auditing to be enabled and active you have to enable object access success and/or failure in the applicable group policy or local security policy and then enable auditing for the files you want to audit access to through these advanced security settings.
Utilize the Local Security Policy management console or edit the effective domain policy to meet your organizations requirements. There are many settings within the Local Security Policy and we touch on a couple important ones here. It is a good idea to look through these settings in detail as you can modify the security behavior in a very granular way depending on your needs.
Password policies should be updated to meet your needs. Password age of 90 days or less is recommended. It is also recommended for the system to remember passwords so that users cannot recycle old passwords. Password length should be over 10 characters and complexity requirements are enabled by default.
Figure 11: Local Security Policy MMC for password policy settings.
Auditing should also be enabled for success and failure. There are several things which you can enable auditing for. At the very least you should enable Success and Failure Auditing for logon events and privileged use. Events that correspond to these settings are logged in the Windows Security event log.
Figure 12: Configure Auditing for Success and Failure of various events.
Under the User Rights Assignment policy you find several settings that are worth checking. You can specify which users have the logon locally rights and can deny or allow granularly based on your needs.
Figure 13: Various user rights assignments on the local policy.
There are various command line tools for applying and testing group policy settings.
The most effective command line tool for seeing the effective audit policy is auditpol.exe. auditpol.exe /get /category:*
To reapply effective policies to a computer you can wait about 15 minutes, restart the machine, or run gpupdate.exe from the command prompt.
Audited objects and events are logged in the system security event logs.
Follow best practices for securing any SQL data and log files. SQL BINN and DATA file directories should only allow those users access that need it. You can also utilize the Best Practice Analyzer to verify your installation and security configuration.
Database security has its own chapter however these things are worth considering. When protecting a database is that data is often times the fields are clear text unencrypted. In the least protected information that you are storing needs to be encyped data fields. Password and sensitive data such as credit card numbers should be hashed and the hashed data value should reside in the database. Encryption of the underlying file system and any database backups is recommended.
User access to database applications should be over SSL connections and clear text authentication should be disabled. SSL certificate installation and safeguarding helps to prevent man-in-the-middle compromises. Backups and file systems should be physically safeguarded to prevent attackers from having a crack at the database. Remember once an attacker has the data or access to the server console your system is as good as hacked with most measures such as encryption and hashing only delaying the disclosure of data.
Web applications should be protected against SQL injection attack methods and all input fields should be filtered and defined.
Configure IIS and verify permissions on website file folders. When you install and configure IIS, only install the features that you need. If you are using third party engines like PHP or WordPress be sure to keep these packages up to date with the latest stable release. Known vulnerabilities in third party apps are often the attack vector used to compromise a system.
IIS includes built in security features that should be enabled and configured such as URL Authorization, Request Filtering, and IP address restrictions. Request filtering passes all incoming requests through a set of rules that helps to ensure only valid requests are allowed.
The IIS management console allows you to configure these settings and adjust them to meet your needs.
Configuration should take into account your network segmentation and server placement. Windows Firewall is a robust host based firewall which allows for granular port, protocol, and application configuration. Only those services that need to be opened should be opened.
Windows firewall comes pre-loaded with inbound and outbound rules for most services. You can enable and disable these as a starting point.
Figure 15: Windows Firewall and Advanced security interface.
Please see section on security through obscurity for more settings.
Even though Symantec recently reported that Anti-virus is useless, it is recommended to run anti-virus or anti-malware software on your system. These applications or only as good as their configuration and current definition versions but can allow you to be protected against known wild variants of bad software.
System files should be checked for integrity and compared regularly to known good source. You can easily find and compare checksums of system files and backup files. If configuration files have changed it should raise a red flag.
Commercial anti-virus software is available for Windows systems and is recommended to have this installed and properly configured. Some anti-virus software has problems with large database files so you will want to exclude them from scanning if your disk and CPU utilization is a problem. Automatic updates or at least regular manual updates should be configured for your anti-virus solution.
Windows server makes use of the Security Configuration Wizard (SCW) to help configure your system. The security configuration wizard can be launched from within the Administrative tools or the server manager tools.
Figure 16: Windows Security Configuration Welcome screen
This built in Microsoft wizard allows you to create, edit, apply existing or roll back configuration settings. The wizard asks you questions about your desired configuration and then attempts to make the Security Policy changes and Firewall changes for you based on your needs.
Figure 18: The SCW Viewer allows you to see at a glance what your settings are
Utilizing the SCW Viewer you can look at your configuration database and the settings which the wizard can control. Once you find the configuration that is proper for your application you can save these and apply them to other servers in your environment.
Before applying SCW settings you can see the before and after settings on various services and features.
Figure 19: Print spool service before configuration changes and after
It is important to note that you should understand what the underlying consequences are for changing the settings through this wizard. A production server should be tested before applying new policies and you should make sure that you get a backup of your settings before you proceed if your system is already in production.
#WannaCry SMB Stack Hardening – Example of hardening to mitigate a security threat on your network.
During the week of Monday May 8th, 2017 a fast spreading malware referred to as WannaCry began to spread around the globe affecting many networks with a ransomeware. Ransomeware is when a targetted computer is taken over by a program where the data or system is held hostage or in the case of the WannaCry attack is encrypted with a message to pay a ransome in order to restore usability.
The WannaCry malware attacks primarily used a known vulnerability in the Microsoft core Server Mesage Block protocol, or SMBv1. Microsoft released patches for this particular vulnerability however one way to mitigate this problem and future problems with SMBv1 is to disable this protocol and enable or force SMBv2 and SMBv3.
After disabling SMBv1 and Enabling SMBv2 you can then re-run the “Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2ProtocolGet-SmbServerConfiguration” command and see similar output to the following screen shot.