Differences between revisions 3 and 4
Revision 3 as of 2019-02-07 17:45:30
Size: 3540
Editor: scot
Comment:
Revision 4 as of 2019-02-07 17:55:13
Size: 4141
Editor: scot
Comment:
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
    1. What are the advantages and disadvantages of moving services to non-standard ports?
Line 23: Line 24:
 1. First, we will be installing an AD DS on your windows system. Follow the directions at: WindowsAdministration/Lab02SetupActiveDirectory   1. First, we will be installing an AD DS on your windows system. Follow the directions at: WindowsAdministration/Lab02SetupActiveDirectory
Line 25: Line 26:
 1. Install the latest Moin wiki on your Ubuntu system. Use it to document your plan, configuration etc. Make it available outside your network.
Line 28: Line 30:
 1. Create a plan to update your systems. Include sections for each of your operating systems.
    1. Windows 10
    1. Windows Server 2019
    1. Linux systems
 1. For each of these areas make sure to include the following:
 1. Create a plan to harden your systems. Include sections for each of your operating systems.
    1. Updating Windows 10
    1. Updating Windows Server 2019
    1. Updating Linux systems
 1. For each of the above update sections sure to include the following:
Line 37: Line 39:
 1. Remove unneeded programs.
 1. Document and perform hardening configuration changes (e.g. moving services to non-standard ports etc.)
Line 40: Line 44:
 1. Get the instructor to sign off on your plans before you start implementing them.  1. Get the instructor to sign off on your plans before you start implementing them - this must be on your wiki and it must be available outside your network!
Line 44: Line 48:
 1. Show what systems applications are installed on each of the systems - verify that you know what every one of them is for!  1. Document, in your wiki, what systems applications are installed on each of the systems - verify that you know what every one of them is for (by documenting their purpose)!
Line 46: Line 50:
 1. Show what systems services are installed on each of the systems - verify that you know what every one of them is for!
    1. Same as the last one.
 1. Show listening ports, what executable is responsible for them and verify that you need each one.
 1. Document, in your wiki, what systems services are installed on each of the systems - verify that you know what every one of them is for!
    1. Hint = Same as the last one.
 1. Document, in your wiki, the listening ports on each system, what executable is responsible for them and verify that you need each one.

Lab 03.5 Hardening the OS

Created in 2019 - for Chapter 4 in ISBN: 978-0-7897-5912-2.

Goal

  1. Harden Windows 10, 2019 server and Linux.
    1. Update Plan / Policy and automate the policy where possible.
    2. Remove unnecessary programs - List installed programs from Power Shell!
    3. Stop or remove unnecessary services.
    4. Audit open ports
  2. Answer these points to discussion
    1. How much update automation should be done? In production environments, how is this handled?
    2. How do we collect status information (Windows and Linux)?
    3. How do you know if an OS or application is vulnerable? We'll look at this more later.
    4. What tools are available to manage patches, updates etc. for each of the OSs that we have installed.
    5. What happens when a snap shot is in play? Should one ever be used in production?
    6. What are the advantages and disadvantages of moving services to non-standard ports?

Essentially we are going to take a shot at implementing least functionality. See NIST and DoD

Setup

  1. First, we will be installing an AD DS on your windows system. Follow the directions at: WindowsAdministration/Lab02SetupActiveDirectory

  2. Join your windows 10 machine to the AD.
  3. Install the latest Moin wiki on your Ubuntu system. Use it to document your plan, configuration etc. Make it available outside your network.

Scenario. You are trying to protect your network from attack by hardening the operating systems in use: Windows 10, Windows Server 2019, Ubuntu 18.04 and a legacy system that requires Ubuntu 14.04 (our metasploitable application). Unfortunately, circumstances forbid you from changing the Ubuntu 14 server. So for now, we'll just firewall outside access, and look at giving outside access later.

  1. Create a plan to harden your systems. Include sections for each of your operating systems.
    1. Updating Windows 10
    2. Updating Windows Server 2019
    3. Updating Linux systems
  2. For each of the above update sections sure to include the following:
    1. Policy including rationale for the actions and automation where appropriate. Include a WSUS installation as part of your Windows Plan.
    2. Configuration is usually controlled on windows by Group Policy, what is available for Linux? If you find something you want to try, I'm game.
    3. What role do backups or snapshots play in the upgrade process.
    4. Testing Plan for update - What tests should you run after updates to guarantee your applications will continue to operate correctly.
  3. Remove unneeded programs.
  4. Document and perform hardening configuration changes (e.g. moving services to non-standard ports etc.)

Show Me / Grade Guide

  1. Get the instructor to sign off on your plans before you start implementing them - this must be on your wiki and it must be available outside your network!
  2. Show that AD is installed and that all Windows machines are joined to it.
  3. Show that WSUS is managing all your windows Servers (yes, WSUS can manage the machine its installed on).
  4. Show that each of all your systems (except metasploitable) is up-to-date via WSUS and whatever system you are using for managing updates on Ubuntu.
  5. Document, in your wiki, what systems applications are installed on each of the systems - verify that you know what every one of them is for (by documenting their purpose)!
    1. Hint: You should find those packages on linux that don't have another package that depends on them. (You'll have to look and maybe even do some data manipulation). We should be able to do this with Power Shell for windows too.
  6. Document, in your wiki, what systems services are installed on each of the systems - verify that you know what every one of them is for!
    1. Hint = Same as the last one.
  7. Document, in your wiki, the listening ports on each system, what executable is responsible for them and verify that you need each one.

NetworkSecurity/Lab/Lab03.5 (last edited 2021-05-25 14:01:12 by scot)