Application Hardening | Security+ Study Guide

A good place to begin securing a network is by making sure that each and every system in the network is up to date and by verifying that only the protocols that are actually needed are enabled. Unfortunately, these steps are not enough. Your servers and workstations also run applications and services. Servers (especially web, e-mail, and media servers) are particularly vulnerable to exploitation and attack. These applications must also be hardened to make them as difficult as possible to exploit.

This section deals with hardening your applications, both on the desktop and at the server, to provide maximum security.

Web Servers

Web servers seem to be one of the favorite areas for attackers to exploit. Internet Information Server (IIS), a common web server, continually makes it into the news. IIS, like most web servers, provides connections for web browsers.

Web servers were originally very simple and were used primarily to provide HTML text and graphics content. Modern web servers allow database access, streaming media, and virtually every other type of service that can be contemplated. This diversity gives websites the ability to provide rich and complex capabilities to web surfers.

Every service and capability supported on a website is potentially a target for exploitation. Make sure they are kept to the most current software standards.

E-Mail Servers

E-mail servers provide the communications backbone for many businesses. These servers typically either run as an additional service on an existing server or they can be dedicated systems. Putting an active virus scanner on e-mail servers can reduce the number of viruses introduced into your network, as well as prevent viruses from being spread by your e-mail server. Figure 5.5 illustrates an e-mail virus scanner being added to a server. In this implementation, the scanner filters incoming e-mails that are suspicious and informs e-mail users of a potential system compromise. This feature will no doubt become a standard feature of most e-mail servers in the very near future. It is very effective in preventing the spread of viruses via e-mail.

Figure 5.5: E-mail virus scanner on an e-mail server

Several servers use data stores, or storage, to allow collaboration, meeting scheduling, conferencing, and other functions. The functionality and capabilities of these servers is increasing on a regular basis. Keep them up to date and current.

FTP Servers

File Transfer Protocol (FTP) servers are not intended for high security applications. Most FTP servers allow you to create file areas on any drive on the system. Create a separate drive or subdirectory on the system to allow file transfers. If possible, use VPN or SSH connections for FTP-type activities. FTP is not notable for security, and many FTP systems send account and password information across the network unencrypted.

From an operational security perspective, use separate logon accounts and passwords for FTP access. This will prevent system accounts from being disclosed to unauthorized individuals. Also make sure that all files that are stored on an FTP server are scanned for viruses. FTP is one the tools frequently used to exploit systems.

DNS Servers

Domain Name Service (DNS) servers resolve hostnames to IP addresses. This service allows a website name such as www.sybex.com to be resolved to an IP address such as 192.168.1.110.

Warning

A registrar manages your domain name. Most registrars require an annual renewal fee. If these fees are not paid, another company will be able to hijack your domain name. This has embarrassed many organizations.

DNS servers can be used internally for private functions, as well as externally for public lookups. DNS-related attacks are not common, but they seem to come in one of three types:

DNS DoS attacks DoS attacks are primarily aimed at DNS servers. The intention here is to disrupt operations of the server, thereby making the system unusable. Make sure that your DNS server software and the operating system software are kept up to date. This will tend to minimize the impact of DoS attacks.

Network Footprinting A great deal of information about your network is stored in DNS servers. By using one of the common DNS lookup programs that are available like NSLOOKUP, an attacker can learn about your network configuration. DNS entries typically include information pertaining to domain names, mail, web, commerce, and other key servers in your network. Keep the amount of information stored about your network to a bare minimum in external DNS servers. Make attackers work for the information.

Record Integrity DNS lookup systems usually involve either a primary, or a primary and a secondary DNS server. If a change is made to a primary or secondary server, the change will propagate to other trusted DNS servers. If a bogus record is inserted into a DNS server, the record will point to the location the attacker intends rather than to a legitimate site. Imagine the embarrassment to a corporation when their website visitors are redirected to a competitor or, even worse, a porno site. Make sure that all DNS servers require authentication before updates are made or propagated. This will help ensure that unauthorized records are get inserted into the servers.

NNTP Servers

Network News Transfer Protocol (NNTP) servers provide the capability for network news messages. NNTP servers can become overwhelmed by spam (unsolicited junk mail) and DoS attacks. Many newsgroups servers use a moderator to ensure that spam messages are not propagated to subscribers of the newsgroup.

Note

NNTP servers in many public settings have become overwhelmed with junk mail. A moderator, as well as automated tools called robots, are usually used to screen as much of this junk as possible from subscribers. Newsgroups that do not use these types of approaches have become virtually useless as communications tools.

Many newsgroups started out as a small group of users who shared a common interest. Some of these newsgroups have grown to tens of thousands of member's worldwide. The amount of traffic or messages on these servers has long since overrun the capability of moderators to manage.

NNTP servers are also commonly used for internal communications in a company or community. These newsgroup servers should require authentication before accepting a posting or allowing a connection to be made.

Warning

Use caution when signing newsgroups with your real e-mail account. Many spammers use this information to send junk mail. You may become inundated with junk mail.

Several scanning programs are now available to help reduce the amount of junk mail these systems process. Of course, as with all good countermeasures, someone always comes up with a way to neutralize their effectiveness.

File and Print Servers and Services

File and print servers are primarily vulnerable to DoS and access attacks. DoS attacks can be targeted at specific protocols and overwhelm a port with activity. Make sure that these servers run only the protocols needed to support the network. In a network that has PC-based systems, make sure that NetBIOS services are disabled on servers or that an effective firewall is in place between the server and the Internet.

Many of the popular attacks that are occurring on systems today occur through the NetBIOS services. These are Ports 135, 137, 138, and 139. On UNIX systems, make sure that Port 111, the remote procedure call (RPC) port, is closed. RPC is a programming interface that allows a remote computer to run programs on a local machine. This has created serious vulnerabilities in systems that have RPC enabled.

Directory sharing should be limited to what is essential to perform systems functions. Make sure that any root directories are hidden from browsing. It is better to designate a subfolder or subdirectory off the root directory and share it rather than a root directory. Figure 5.6 illustrates this concept in further detail. Notice that when a user connects to the network-shared directory, they are not aware of where this share actually is in the hierarchy of the file system.

Figure 5.6: Network share connection

Note

Never share the root or parent directory of a disk drive. This creates a potential vulnerability to every file on the system. Share subdirectories.

If an attacker penetrates a root directory, all of the subdirectories under that directory are vulnerable. If a subdirectory is penetrated, only the directories that reside below it are exposed—in most cases.

DHCP Services

Dynamic Host Configuration Protocol (DHCP) is used in many networks to automate the assignment of IP addresses to workstations. DHCP services can be provided by many different types of devices, including routers, switches, and servers. The DHCP process involves the leasing of a TCP/IP address to a workstation for a specified time. DHCP can also provide other network configuration options to a workstation.

In a given network, or segment, only one DHCP server should be running. If more than one is running, they will clash with each other over who provides the address. This can cause duplication of TCP/IP addresses and potentially cause addressing conflicts.

DHCP-enabled clients can be serviced by a NAT server. (See Chapter 1, "General Security Concepts," for a discussion of NAT servers.) DHCP usage should be limited to workstation systems.

Real World Scenario: Where Did All These Strange IP Addresses Originate?

Some of your computer users have suddenly started calling you to indicate that after rebooting their systems, they can no longer access network services or the Internet. After investigating the situation, you discover that the IP addresses they are using are invalid for your network. The IP addresses are valid, but they are not part of your network. You have inspected your DHCP server and cannot find a reason for this. What should you investigate next?

In all probability, someone has configured another server or device in your network with an active DHCP server. This server is now leasing addresses to these users instead of to your server.

This happens when administrators or developers are testing pilot systems. Make sure that all test systems are isolated from your production network either by a router or by some other mechanism. These servers are referred to as rogue servers, and they can cause much confusion in a DHCP environment.

Data Repositories

Many of the systems that are being used in networks today rely heavily on stored data. This data is usually kept in servers that provide directory services and database services. These systems are referred to as data repositories. This section discusses some of the more common data repositories in use. Most data repositories are enabled by some form of database technology.

Directory Services

Directory services are tools that help organize and manage complex networks. Directory services allow data files, applications, and other information to be quickly and easily relocated within a network. This greatly simplifies the administrative tasks, and it allows programmers and developers to better utilize network resources. The more current methods treat data and other network resources as objects. This object-oriented approach allows information to be stored and accessed based on certain characteristics or attributes.

In addition to creating and storing data, directory services must also publish appropriate data to users. Perhaps the best way to think of this function is to think of it as the yellow and white pages of a business phone directory. A business would want its name and phone number published in alphabetical order. The business would also likely want its name listed in one or more categories in the directory. If you were a computer consultant, you might want your name and phone number listed under computer consultants, computer trainers, and other areas. This is what a directory can accomplish for you. Most directory services have implemented a model of hierarchy similar to the one illustrated in Figure 5.7. This hierarchy allows an object to be uniquely identified to directory users.

Figure 5.7: Directory structure showing unique identification of a user

Security for directory services is critical, and it is typically accomplished by both using authentication and access control. You wouldn't want your directory entry to show up just anywhere, would you?

This section briefly describes the more common directory services used in the field. LDAP, eDirectory, and AD are becoming more common, and they will present additional opportunities for misuse in the future.

LDAP Lightweight Directory Access Protocols (LDAP) is a standardized directory access protocol that allows queries to be made of directories (specifically, a pared down X.500-based directory). If a directory service supports LDAP, you can query that directory with an LDAP client, but it is the protocol. LDAP is growing in popularity and is being used extensively in online white and yellow pages.

Active Directory Microsoft implemented a directory service called Active Directory (AD) with Windows 2000. For Microsoft products, AD is the backbone for all security, access, and network implementations from here on out. AD allows full control of resources by administrators. It is a proprietary directory service that provides services for other directory services, such as LDAP. AD functions are managed by one or more servers. These servers are connected in a tree structure that allows information to be shared or controlled through the entire AD structure.

X.500 The X.500 standard was implemented by the International Telecommunications Union (ITU), an international standards group, for directory services in the late 1980s. The X.500 directory structure was the basis for later models of directory structure, such as LDAP. The major problem in the industry in implementing a full-blown X.500 structure revolved around the complexity of the implementation. Novell was one of the first manufacturers to implement X.500 in its NetWare NDS product.

eDirectory eDirectory is the backbone for Novell networks. eDirectory stores information on all system resources, users, and any other relevant information about systems attached to a NetWare server. eDirectory is an upgrade and replacement for NDS, and it has gained wide acceptance in the community.

DNS DNS is one of the most popular directory services in use today. DNS can identify an individual computer system on the Internet. DNS, as you may recall, maps IP addresses to domain names and to individual systems.

Databases

The key reason computers are installed is for their ability to store, access, and modify data. The primary tool for data management is the database. They have become increasingly more sophisticated, and their capabilities have grown dramatically over the last ten years. This growth has created opportunities to view data in new ways; it has also created problems for both designers and users of these products.

This section briefly discusses database technologies and some of the more common issues associated with vulnerabilities in database systems.

Database Technologies

The relational database has become the most common approach to database implementation. This technology allows data to be viewed in dynamic ways based on the need. The most common language used to speak to databases is called Structured Query Language (SQL). SQL allows queries to be configured in real-time and passed to database servers. This flexibility causes a major vulnerability when it is not implemented securely.

Note

Do not confuse the term SQL. Microsoft's database product is called SQL Server. SQL Server implemented the SQL language, as have most other database manufacturers.

You might want to get the phone numbers of all the customers who live in a certain geographic area and have purchased products from you in the last two years. In a manual system, you would first need to determine which customers live in the area you want. You would need to perform a manual search of customer records, and then you would need to identify which customers have made purchases. This type of process could be very involved, and it would be time consuming.

In a database environment, you could query the database to find all records that meet your criteria and then print them. The command to do this might be a single line of code or it might require thousands of instructions. Obviously, the increase in productivity is a worthwhile investment.

Corporate or organizational data is one of an organization's most valuable possessions. It usually resides either in desktop systems or in large centralized database servers. This information makes the servers tempting targets for industrial espionage and damage.

Database Server Vulnerabilities

Database servers suffer from all of the vulnerabilities that we have discussed to this point. Additionally, the database itself is a complex set of programs that work together to provide access to data.

Early database systems connected the end user directly to the data through applications programs. These programs were intended to allow easy data access and to allow transactions to be performed against the database. In a private network, physical security was usually all that was needed to protect the data.

As the Internet has grown, businesses have allowed customer access to data such as catalogs, order status, online ordering, and virtually any other capabilities that they have wanted. This increased interoperability has added additional coding, additional software, and increased complexity to the database issue.

Software manufacturers work very hard to keep up with customer demands. Unfortunately, they frequently release software that is prone to security problems.

The increase in demand for database-oriented systems and the security problems introduced by software developers and manufacturers have largely been the biggest area of vulnerability for database servers.

Access and Design Considerations

To improve system performance, as well as to improve the security of databases, companies have implemented the tiered model of systems. Three different models are explained here:

One-Tier Model In a one-tier model, or single-tier environment, the database and the application exist on a single system. This is very common on a desktop system that is running a stand-alone database. Early UNIX implementations also worked in this manner. Each user would sign on to a terminal and run a dedicated application that accessed the data.

Two-Tier Model In a two-tier model, the client PC or system runs an application that communicates with the database that is running on a different server. This is a very common implementation, and it works well for many applications.

Three-Tier Model Three-tier models effectively isolate the end user from the database by introducing a middle-tier server. This server accepts requests from clients, evaluates them, and then sends them on to the database server for processing. The database server sends the data back to the middle-tier server, which then sends the data to the client system. This approach is becoming common in business today. The middle server can also control access to the database and provide additional security.

The three models provide increasing capability and complexity. Each system involved must be individually managed and kept current for this system to provide security.