Lab 03.5 Hardening the OS

Created in 2019 - for Chapter 4 in ISBN: 978-0-7897-5912-2.

Goal

1. Harden Windows 2019 server and Linux (Ubuntu/Kali).
   1. Update Plan / Policy and automate the policy where possible.
   2. Remove unnecessary programs - List installed programs from Power Shell!
   3. Stop or remove unnecessary services.
   4. Audit open ports
2. Answer these points to discussion
   1. How much update automation should be done? In production environments, how is this handled?
   2. How do we collect status information (Windows and Linux)?
   3. How do you know if an OS or application is vulnerable? We'll look at this more later.
   4. What tools are available to manage patches, updates etc. for each of the OSs that we have installed.
   5. What happens when a snap shot is in play? Should one ever be used in production?
   6. What are the advantages and disadvantages of moving services to non-standard ports?

Essentially we are going to take a shot at implementing least functionality. See NIST and DoD

Setup

1. Install the latest Moin wiki on your Ubuntu system. Use it to document your plan, configuration etc. Make it available outside your network.

Scenario. You are trying to protect your network from attack by hardening the operating systems in use: Windows Server 2019, Ubuntu, Kali and a legacy system that requires Ubuntu 14.04 (our metasploitable application). Unfortunately, circumstances forbid you from changing the Ubuntu 14 server. So for now, we'll just firewall outside access, and look at giving outside access later.

1. Create a plan to harden your systems. Include sections for each of your operating systems.

   1. Updating Windows Server 2019 in 2021, I dropped the Windows 10 VM from the labs. We won't be installing WSUS - that happens in Windows Admin class

   2. Updating Linux systems
2. For each of the above update sections sure to include the following:
   1. Policy including rationale for the actions and automation where appropriate. Include a WSUS installation as part of your Windows Plan.

   2. Configuration is usually controlled on windows by Group Policy, what is available for Linux? You should check out the unattended-upgrades package.

   3. What role do backups or snapshots play in the upgrade process. They essentially slow your VM to a crawl - why is that?

   4. Testing Plan for update - What tests should you run after updates to guarantee your applications will continue to operate correctly.
3. Remove unneeded programs.
4. Document and perform hardening configuration changes (e.g. moving services to non-standard ports etc.)

Show Me / Grade Guide

This will require that you both create a video and create pages on your wiki. Please create a page that links to the other pages on your wiki and upload your video on an appropriate page (e.g. Lab03.5)

1. Show that Moin is accessible from outside your network directly and that it IS UP-TO-DATE!

2. Document, in your wiki, what systems applications are installed on each of the systems - verify that you know what every one of them is for (by documenting their purpose)!

   1. Hint: You should find those packages on linux that don't have another package that depends on them. (You'll have to look and maybe even do some data manipulation). We should be able to do this with Power Shell for windows too.

3. Document, in your wiki, what systems services are installed on each of the systems - verify that you know what every one of them is for!

   1. Hint = Same as the last one.
4. Document, in your wiki, the listening ports on each system, what executable is responsible for them and verify that you need each one.

Additional Notes

1. I installed Bitvise on Windows 10.
2. I installed joe - my favorite editor on Ubuntu 18.04
3. Moin

   1. In installing Moin, to get the commandline "moin account create ..." to work I had to add the following line at line 32 to /usr/local/lib/python2.7/dist-packages/MoinMoin/config/multiconfig.py: sys.path.insert(0, '/usr/local/share/moin')

   2. After this I used # moin account create ... to create an account

   3. Then I cleaned the cache: # moin maint cleancache

   4. Since I did the above by root, I then executed # chown -R www-data.www-data [moin directory]

   5. That was it for moin I logged in and it worked!
4. I set my hostname to ubuntu.dra.local

5. I setup apache2 to use ssl with a 4096 bit key. See: https://websiteforstudents.com/setup-apache2-http-with-self-signed-ssl-tls-certificates-on-ubuntu-16-04-lts-servers/

1. Installing AD DS with PowerShell for Windows 2019: http://www.rebeladmin.com/2018/10/step-step-guide-install-active-directory-windows-server-2019-powershell-guide/

1. Installed WSUS Service

   1. https://gal.vin/2018/04/19/wsus-windows-server-core-walkthrough/ Install is straight forward, but the configuration is not mentioned on many sites.

      • c:\Program Files\Update Services\Tools\WsusUtil.exe postinstall CONTENT_DIR=C:\WSUS_Content

2. Installed Remote admin tools.
3. Added Win 10 machine to domain. Tools now work on Win 10.
4. Configure WSUS through the RSAT tools (run servermanager)

   1. Configure Group Policies to have computers use the WSUS service for windows updates. In GP Management Editor: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update

   2. Enable Configure Automatic Updates I set Configure Automatic Updating: 4, Scheduled Install Time: 11:00 every Friday.

   3. Enable Specify intranet Microsoft update service location Set first two boxes to http://windows2019.dra.local:8530

      1. It takes time for WSUS to recognize the new machines after a group policy push (e.g. gpudpate /force). When looking in the Unassigned Computers group, Change the status above the main window to "any" and click refresh.

5. Installed unattended-upgrades on ubuntu and kali. Removed mimikatz from kali so that it would update.