Educause Security Discussion mailing list archives
Developing "Security Guidelines" email
From: Joshua Beeman <jbeeman () ISC UPENN EDU>
Date: Fri, 25 Feb 2005 15:16:58 -0500
On occasion we have receive an email from an IT group on campus that says: "Help! We have a machine that we've wiped & built from scratch 3 times, and it keeps getting hacked. What should we do?" The problem from our perspective in issuing general guidelines to this type of request is that every school or center tends to be set up slightly different from the next. That said however, we still hope to be able to provide a list of things to consider that will be helpful, stimulate new thought, etc. Towards this end we came up with the list below. Many of the items are biased towards the MS Windows OS. If you maintain a similar list and/or have any feedback or comments, they would be greatly appreciated. Thanks very much, joshb ******************** 1. P2P - If possible, remove any installed P2P software. Emphasizing to the user that this is a common vector for spyware and unintended disclosure of information hopefully makes them think twice before reinstalling it right after you leave. 2. Strong Passwords / Common passwords - Make the user change their password and enforce strong passwords. If the user is using the same username/password combination they were the first time the machine was compromised, or if the user has a weak password, it may not matter whether the box was effectively rebuilt or patched. Additionally, consider if you are using the same username/password combination (e.g. - local administrator password, generic accounts) on multiple machines. A compromise on one machine may effect the integrity of multiple machines in your domain or on your network. Another reason to enforce strong passwords, or longer passphrases, and change them periodically. 3. Software firewall - Enable the integrated firewall or install a software firewall to block incoming connections. If it is a server, or simply a critical host, consider a hardware firewall of the appropriate scale. 4. Anti-Virus - Make sure that the latest version of the anti-virus client is installed and that the definitions are up to date. If you are not already, consider running a managed solution that allows you to push AV definitions and upgrades from a central location (http://www.upenn.edu/computing/virus/manage-sw.html). 5. OS Patches/SUS service - Make sure that the operating system is up to date at all times. If you are not already, consider running a SUS or SMS server, or participating in the University's SUS program (http://www.upenn.edu/computing/sus/). Additionally, for Windows machines, consider using the Microsoft Baseline Security Analyzer to identify vulnerabilities in the OS as well as certain applications (http://www.microsoft.com/technet/security/tools/mbsahome.mspx). 6. IPSEC filtering - Consider deploying Microsoft's IPSEC as a Group Policy on your domain, or at the very least, on individual hosts. IPSEC has two functions: a) to protect the contents of IP packets (data integrity) and b) to provide a defense against network attacks through packet filtering and the enforcement of trusted communication (availability) With IPSEC filtering in place, you can restrict incoming & outgoing traffic with a granularity not typically associated with integrated software firewalls. You can significantly limit, in real-time, the potential for internal & external (Penn & non-Penn source) exploits with custom rule-sets that are specific to your environment, to a particular host, or even to a particular exploit that happens to be circulating. A quick search of the Microsoft website will turn up a number of documents relating to this topic. I this is one of the clearer MS IPSEC overviews (sorry for the long URL): http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/sag_IPSECconcept.asp 7. Create & Apply security templates - Using the Microsoft Management Console with the "Security Configuration and Analysis" and the "Security Templates" snap-ins, you can load default policy templates with varying degrees of strictness, such as "SECUREWS" (secure workstation) and "HISECUREWS" (highly secure workstation), and then compare your current configuration to these templates. After reviewing the differences, you can save your own template based on the default recommendations and your organizations needs and apply this template to computers that you support individually or through a Group Policy. Here is some sample documentation from MS: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scedefaultpols.mspx 9. Imaging - If you are using disk imaging (e.g. - Ghost) to repair infected machines and you see compromises quickly *after* re-imaging a host, you may need to consider checking the base image for vulnerabilities such as the ones listed above and possibly rebuild it. If you are unsure about the image and want to set up a test host for Security to do a full-blown vulnerability scan, just contact our office at security () isc upenn edu. Make sure if you request this that it is a test or unused system, as a full-scan of this nature can be destructive. 10. Restrict end-user privileges - If you are not already doing it, you may wish to restrict standard end-users with policies and profiles from having the ability to install applications or modify the PC configuration in any way. Obviously, this may not work for all environments. -- Joshua Beeman Sr. Information Security Specialist University of Pennsylvania jbeeman () isc upenn edu (215) 573-6798 http://www.upenn.edu/computing/security What is the single most valuable piece of data on your computer? Is it backed up? ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Developing "Security Guidelines" email Joshua Beeman (Feb 25)
- <Possible follow-ups>
- Re: Developing "Security Guidelines" email Steve Schuster (Feb 25)
- Re: Developing "Security Guidelines" email Georgia T. Killcrece (Feb 25)