The document discusses hardening servers and networks against attacks. It recommends disabling nonessential systems; hardening operating systems by applying updates, securing the file system, and hardening applications; and hardening servers like web, mail, FTP, DNS, NNTP, print/file, and DHCP servers. It also recommends hardening networks by properly configuring equipment like routers and firewalls to filter packets.

1. Server Hardening Primer
Dr. Eric Vanderburg
Director, Information Systems and Security
Computer Forensic and Investigation Services
JURINNOV LTD
John Tsai, CEH, CISSP
Security Engineer
JURINNOV LTD

2. Objectives
•Disable nonessential systems
•Harden operating systems
•Harden applications
•Harden networks
2

3. Disabling Nonessential Systems
• First step in establishing a defense against
computer attacks is to turn off all nonessential
systems
• The background program waits in the computer’s
random access memory (RAM) until the user
presses a specific combination of keys (a hot key),
such as Ctrl+Shift+P
• Then, the idling program springs to life
3

4. Disabling Nonessential
Systems (continued)
• Early terminate-and-stay-resident (TSR) programs
performed functions such as displaying an instant
calculator, small notepad, or address book
• In Microsoft Windows, a background program, such as
Svchostexe, is called a process
• The process provides a service to the operating system
indicated by the service name, such as AppMgmt
4

5. Disabling Nonessential
Systems (continued)
• Users can view the display name of a service,
which gives a detailed description, such as
Application Management
• A single process can provide multiple
services
5

6. Disabling Nonessential
Systems (continued)
• A service can be set to one of the following modes:
6
• Automatic
• Manual
• Disabled
• Besides preventing attackers from attaching malicious
code to services, disabling nonessential services blocks
entries into the system

7. Disabling Nonessential
Systems (continued)
• The User Datagram Protocol (UDP) provides for a
connectionless TCP/IP transfer
• TCP and UDP are based on port numbers
• Socket: combination of an IP address and a port number
7
• The IP address is separated from the port number by a
colon, as in 19814611820:80

8. Hardening Operating Systems
• Hardening: process of reducing vulnerabilities
• A hardened system is configured and updated to protect
against attacks
• Three broad categories of items should be hardened:
8
• Operating systems
• Applications that the operating system runs
• Networks

9. Hardening Operating
Systems (continued)
• You can harden the operating system that runs on the
local client or the network operating system (NOS) that
manages and controls the network, such as Windows
Server 2008 R2 or Linux
9

10. Applying Updates
10
• Operating systems are intended to be dynamic
• As users’ needs change, new hardware is
introduced, and more sophisticated attacks are
unleashed, operating systems must be updated
on a regular basis
• However, vendors release a new version of an
operating system every two to four years
• Vendors use certain terms to refer to the
different types of updates

11. Applying Updates (continued)
• A service pack (a cumulative set of updates
including fixes for problems that have not been
made available through updates) provides the
broadest and most complete update
• A hotfix does not typically address security issues;
instead, it corrects a specific software problem
11

12. Applying Updates (continued)
• A patch or a software update fixes a security flaw
or other problem
12
• May be released on a regular or irregular basis,
depending on the vendor or support team
• A good patch management system includes
documentation and consistent implementation

13. Securing the File System
• Another means of hardening an operating system is to
restrict user access
• Generally, users can be assigned permissions to access
folders (also called directories in the command shell and
UNIX/Linux) and the files contained within them
13

14. Securing the File System (continued)
• Microsoft Windows provides a centralized method
of defining security on the Microsoft Management
Console (MMC)
14
• A Windows utility that accepts additional components
(snap-ins)
• After you apply a security template to organize security
settings, you can import the settings to a group of
computers (Group Policy object)

15. Securing the File System (continued)
• Group Policy settings: components of a user’s desktop
environment that a network system administrator needs
to manage
• Group Policy settings cannot override a global setting for
all computers (domain-based setting)
• Windows stores settings for the computer’s hardware
and software in a database (the registry)
15

16. Hardening Applications
• Just as you must harden operating systems, you must also
harden the applications that run on those systems
• Hotfixes, service packs, and patches are generally
available for most applications; although, not usually with
the same frequency as for an operating system
16

17. Hardening Servers
• Harden servers to prevent attackers from breaking
through the software
•Web server delivers text, graphics, animation,
audio, and video to Internet users around the
world
17

18. Hardening Servers (continued)
• Mail server is used to send and receive electronic
messages
• In a normal setting, a mail server serves an organization or
set of users
• All e-mail is sent through the mail server from a trusted
user or received from an outsider and intended for a
trusted user
18

19. Hardening Servers (continued)
• In an open mail relay, a mail server processes e-mail
19
messages not sent by or intended for a local
user
• File Transfer Protocol (FTP) server is used to store
and access files through the Internet
• Typically used to accommodate users who want to
download or upload files

20. Hardening Servers (continued)
• FTP servers can be set to accept anonymous logons using
• A Domain Name Service (DNS) server makes the Internet
available to ordinary users
20
• DNS servers frequently update each other by transmitting all
domains and IP addresses of which they are aware (zone
transfer)

21. Hardening Servers (continued)
• IP addresses and other information can be used in an
attack
• USENET is a worldwide bulletin board system that can be
accessed through the Internet or many online services
• The Network News Transfer Protocol (NNTP) is the
protocol used to send, distribute, and retrieve USENET
messages through NNTP servers
21

22. Hardening Servers (continued)
• Print/file servers on a local area network (LAN) allow
users to share documents on a central server or to share
printers
• Hardening a print/file server
• A DHCP server allocates IP addresses using the Dynamic
Host Configuration Protocol (DHCP)
• DHCP servers “lease” IP addresses to clients
22

23. Hardening Data Repositories
• Data repository: container that holds electronic
information
• Two major data repositories: directory services
and company databases
• Directory service: database stored on the network
that contains all information about users and
network devices along with privileges to those
resources
23

24. Hardening Data
Repositories (continued)
• Active Directory is the directory service for Windows
• Active Directory is stored in the Security Accounts
Manager (SAM) database
• The primary domain controller (PDC) houses the SAM
database
24

25. Hardening Networks
• Two-fold process for keeping a network secure:
25
• Secure the network with necessary updates
• Properly configure it

26. Firmware Updates
• RAM is volatile―interrupting the power source causes
RAM to lose its entire contents
• Read-only memory (ROM) is different from RAM in two
ways:
26
• Contents of ROM are fixed
• ROM is nonvolatile―disabling the power source does not erase
its contents

27. Firmware Updates (continued)
• ROM, Erasable Programmable Read-Only Memory (EPROM), and
Electrically Erasable Programmable Read-Only Memory (EEPROM)
are firmware
• To erase an EPROM chip, hold the chip under ultraviolet light so the
light passes through its crystal window
• The contents of EEPROM chips can also be erased using electrical
signals applied to specific pins
27

28. Network Configuration
• You must properly configure network equipment to resist
attacks
• The primary method of resisting attacks is to filter data
packets as they arrive at the perimeter of the network
28

29. Network Configuration (continued)
• Rule base or access control list (ACL): rules a network
device uses to permit or deny a packet
(not to be confused with ACLs used in securing a
file system)
• Rules are composed of several settings
29

30. Summary
• Establishing a security baseline creates a basis for
information security
• Hardening the operating system involves applying the
necessary updates to the software
• Securing the file system is another step in hardening a
system
30

31. Summary (continued)
• Applications and operating systems must be hardened by
installing the latest patches and updates
• Servers, such as Web servers, mail servers, FTP servers,
DNS servers, NNTP servers, print/file servers, and DHCP
servers, must be hardened to prevent attackers from
corrupting them or using the server to launch other
attacks
31

32. For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: Eric.Vanderburg@jurinnov.com
John.Tsai@jurinnov.com
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
32