Differences between revisions 3 and 30 (spanning 27 versions)
Revision 3 as of 2019-02-07 17:45:30
Size: 3540
Editor: scot
Comment:
Revision 30 as of 2021-02-11 16:48:03
Size: 7053
Editor: scot
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== Goal == == Goals ==
Line 7: Line 7:
 1. Harden Windows 10, 2019 server and Linux.
    1. Update Plan / Policy and automate the policy where possible.
 1. Harden Windows 2019 server
    1. Create an Update Plan / Policy and automate the policy where possible.
       a. Decide how updates should be installed for your situation
       a. Set the updates using either
          i. the GUI or
          i. Through the registry HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate > AU or
          i. Via powershell
             1. {{{Install-Module PSWindowsUpdate}}}
             1. {{{Get-Command -module PSWindowsUpdate}}} # to list the commands available.
             1. {{{Add-WUServiceManager -MicrosoftUpdate}}} # to enable additional updates.
             1. {{{Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot}}} and add the following to log the result to a file: {{{| Out-File "\\server\share\log$($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force}}}
Line 10: Line 19:
    1. Stop or remove unnecessary services.
    1. Audit open ports
 1. Answer these points to discussion
       a. {{{Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize}}}
    1. Stop or remove unnecessary services. (You can do this via the services app or through powershell.
    1. Audit open ports (See Dr. A's list of WindowsAdministration/PowerShellScripts on this wiki)
 1. Harden Linux (Ubuntu/Kali).
    1. Automate updates /* Unattended-Updates package */
    1. Protect SSH by not allowing password logins /* I know we still have my RDP which allows password logins, but we'll fix that later */
 1. Be able to answer these questions
Line 18: Line 31:
    1. What are the advantages and disadvantages of moving services to non-standard ports? /* Remember, applications behind the firewall do not need to be on non-standard ports because the firewall will probably force non-standard ports in our configuration. Also talk about virtual IPs! Show them on our firewall */
Line 21: Line 35:
== Setup == == Lab Directions / Setup ==
Line 23: Line 37:
 1. First, we will be installing an AD DS on your windows system. Follow the directions at: WindowsAdministration/Lab02SetupActiveDirectory
 1. Join your windows 10 machine to the AD.
First we are going to install a new application that you must now keep running at all times. Treat it like its a production system.
Line 26: Line 39:
Scenario. You are trying to protect your network from attack by hardening the operating systems in use: Windows 10, Windows Server 2019, Ubuntu 18.04 and a legacy system that requires Ubuntu 14.04 (our metasploitable application). Unfortunately, circumstances forbid you from changing the Ubuntu 14 server. So for now, we'll just firewall outside access, and look at giving outside access later.  1. Install the latest Moin wiki on your Ubuntu system. Use it to document your plan, configuration etc. Make it available outside your network on port 80/443.
Line 28: Line 41:
 1. Create a plan to update your systems. Include sections for each of your operating systems.
    1. Windows 10
    1. Windows Server 2019
    1. Linux systems
 1. For each of these areas make sure to include the following:
Scenario. You are trying to protect your network from attack by hardening the operating systems in use: Windows Server 2019, Ubuntu, Kali and a legacy system that requires Ubuntu 14.04 (our metasploitable application). Unfortunately, circumstances forbid you from changing the Ubuntu 14 server. So for now, we'll just firewall outside access, and look at giving outside access later.

 1. Create a plan to harden your systems. Include the following sections for each of your operating systems.
    1. Updating Windows Server 2019 /* in 2021, I dropped the Windows 10 VM from the labs. We won't be installing WSUS - that happens in Windows Admin class */
    1. Updating Linux systems
 1. For each of the above update sections sure to include the following:
Line 34: Line 48:
    1. Configuration is usually controlled on windows by Group Policy, what is available for Linux? If you find something you want to try, I'm game.
    1. What role do backups or snapshots play in the upgrade process.
    1. Configuration is usually controlled on windows by Group Policy, what is available for Linux? /* You should check out the unattended-upgrades package. */
    1. What role do backups or snapshots play in the upgrade process. /* They essentially slow your VM to a crawl - why is that? */
Line 37: Line 51:
 1. Remove unneeded programs.
 1. Configure SSH in each of your systems to not allow only public key logins.
 1. Document and perform hardening configuration changes (e.g. moving services to non-standard ports etc.)
Line 40: Line 57:
 1. Get the instructor to sign off on your plans before you start implementing them.
 1. Show that AD is installed and that all Windows machines are joined to it.
 1. Show that WSUS is managing all your windows Servers (yes, WSUS can manage the machine its installed on).
 1. Show that each of all your systems (except metasploitable) is up-to-date via WSUS and whatever system you are using for managing updates on Ubuntu.
 1. Show what systems applications are installed on each of the systems - verify that you know what every one of them is for!
    1. Hint: You should find those packages on linux that don't have another package that depends on them. (You'll have to look and maybe even do some data manipulation). We should be able to do this with Power Shell for windows too.
 1. Show what systems services are installed on each of the systems - verify that you know what every one of them is for!
    1. Same as the last one.
 1. Show listening ports, what executable is responsible for them and verify that you need each one.
This will require that you both create a video and create pages on your wiki. Please make the home page with links to the other pages on your wiki and upload your video on an appropriate page (e.g. Lab03.5)

 1. Demo that Moin is accessible from outside your network directly and that it IS UP-TO-DATE!
 1. Talk/Demo through your Documentation in your wiki that shows what systems ''applications'' are installed on each of the systems - verify that you know what every one of them is for (by documenting their purpose)!
    1. Hint: You should find those packages on linux that don't have another package that depends on them. (You'll have to look and maybe even do some data manipulation). We should be able to do this with Power Shell for windows too. /* apt list --installed | grep '\[installed\]' OR dpkg -l gives a nice list, but not any install information Hmmm. For Windows see: https://devblogs.microsoft.com/scripting/use-powershell-to-find-installed-software/ */
 1. Talk/Demo through your Documentation in your wiki that shows what system ''services'' are installed on each of the systems - verify that you know what every one of them is for!
    1. Hint = Same as the last one.
 1. Talk/Demo through your Documentation in your wiki of the listening ports on each system, what executable is responsible for them and verify that you need each one.
 1. Demo that SSH is accessible through public key logins only.
Line 50: Line 67:

= Additional Notes =

 1. Moin
    1. In installing Moin, to get the commandline "moin account create ..." to work I had to add the following line at line 32 to /usr/local/lib/python2.7/dist-packages/MoinMoin/config/multiconfig.py: {{{sys.path.insert(0, '/usr/local/share/moin')}}}
    1. After this I used {{{# moin account create ...}}} to create an account
    1. Then I cleaned the cache: {{{# moin maint cleancache}}}
    1. Since I did the above by root, I then executed {{{# chown -R www-data.www-data [moin directory]}}}
    1. That was it for moin I logged in and it worked!
 1. I set my hostname to ubuntu.dra.local
 1. I setup apache2 to use ssl with a 4096 bit key. See: https://websiteforstudents.com/setup-apache2-http-with-self-signed-ssl-tls-certificates-on-ubuntu-16-04-lts-servers/
 1. Installed unattended-upgrades on ubuntu and kali. I had to remove mimikatz from kali so that it would update.

Lab 03.5 Hardening the OS

Created in 2019 - for Chapter 4 in ISBN: 978-0-7897-5912-2.

Goals

  1. Harden Windows 2019 server
    1. Create an Update Plan / Policy and automate the policy where possible.
      1. Decide how updates should be installed for your situation
      2. Set the updates using either
        1. the GUI or
        2. Through the registry HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate > AU or

        3. Via powershell
          1. Install-Module PSWindowsUpdate

          2. Get-Command -module PSWindowsUpdate # to list the commands available.

          3. Add-WUServiceManager -MicrosoftUpdate # to enable additional updates.

          4. Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot and add the following to log the result to a file: | Out-File "\\server\share\log$($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

    2. Remove unnecessary programs - List installed programs from Power Shell!
      1. Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

    3. Stop or remove unnecessary services. (You can do this via the services app or through powershell.
    4. Audit open ports (See Dr. A's list of WindowsAdministration/PowerShellScripts on this wiki)

  2. Harden Linux (Ubuntu/Kali).
    1. Automate updates

    2. Protect SSH by not allowing password logins

  3. Be able to answer these questions
    1. How much update automation should be done? In production environments, how is this handled?
    2. How do we collect status information (Windows and Linux)?
    3. How do you know if an OS or application is vulnerable? We'll look at this more later.
    4. What tools are available to manage patches, updates etc. for each of the OSs that we have installed.
    5. What happens when a snap shot is in play? Should one ever be used in production?
    6. What are the advantages and disadvantages of moving services to non-standard ports?

Essentially we are going to take a shot at implementing least functionality. See NIST and DoD

Lab Directions / Setup

First we are going to install a new application that you must now keep running at all times. Treat it like its a production system.

  1. Install the latest Moin wiki on your Ubuntu system. Use it to document your plan, configuration etc. Make it available outside your network on port 80/443.

Scenario. You are trying to protect your network from attack by hardening the operating systems in use: Windows Server 2019, Ubuntu, Kali and a legacy system that requires Ubuntu 14.04 (our metasploitable application). Unfortunately, circumstances forbid you from changing the Ubuntu 14 server. So for now, we'll just firewall outside access, and look at giving outside access later.

  1. Create a plan to harden your systems. Include the following sections for each of your operating systems.
    1. Updating Windows Server 2019

    2. Updating Linux systems
  2. For each of the above update sections sure to include the following:
    1. Policy including rationale for the actions and automation where appropriate. Include a WSUS installation as part of your Windows Plan.
    2. Configuration is usually controlled on windows by Group Policy, what is available for Linux?

    3. What role do backups or snapshots play in the upgrade process.

    4. Testing Plan for update - What tests should you run after updates to guarantee your applications will continue to operate correctly.
  3. Remove unneeded programs.
  4. Configure SSH in each of your systems to not allow only public key logins.
  5. Document and perform hardening configuration changes (e.g. moving services to non-standard ports etc.)

Show Me / Grade Guide

This will require that you both create a video and create pages on your wiki. Please make the home page with links to the other pages on your wiki and upload your video on an appropriate page (e.g. Lab03.5)

  1. Demo that Moin is accessible from outside your network directly and that it IS UP-TO-DATE!
  2. Talk/Demo through your Documentation in your wiki that shows what systems applications are installed on each of the systems - verify that you know what every one of them is for (by documenting their purpose)!

    1. Hint: You should find those packages on linux that don't have another package that depends on them. (You'll have to look and maybe even do some data manipulation). We should be able to do this with Power Shell for windows too.

  3. Talk/Demo through your Documentation in your wiki that shows what system services are installed on each of the systems - verify that you know what every one of them is for!

    1. Hint = Same as the last one.
  4. Talk/Demo through your Documentation in your wiki of the listening ports on each system, what executable is responsible for them and verify that you need each one.
  5. Demo that SSH is accessible through public key logins only.

Additional Notes

  1. Moin
    1. In installing Moin, to get the commandline "moin account create ..." to work I had to add the following line at line 32 to /usr/local/lib/python2.7/dist-packages/MoinMoin/config/multiconfig.py: sys.path.insert(0, '/usr/local/share/moin')

    2. After this I used # moin account create ... to create an account

    3. Then I cleaned the cache: # moin maint cleancache

    4. Since I did the above by root, I then executed # chown -R www-data.www-data [moin directory]

    5. That was it for moin I logged in and it worked!
  2. I set my hostname to ubuntu.dra.local
  3. I setup apache2 to use ssl with a 4096 bit key. See: https://websiteforstudents.com/setup-apache2-http-with-self-signed-ssl-tls-certificates-on-ubuntu-16-04-lts-servers/

  4. Installed unattended-upgrades on ubuntu and kali. I had to remove mimikatz from kali so that it would update.

NetworkSecurity/Lab/Lab03.5 (last edited 2021-05-25 14:01:12 by scot)