An Overview Of Heat Transfer Phenomena
The Apple Home

System Administrator - Security Best Practices - SANS Institute

Loading...
Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

System Administrator - Security Best Practices System Administrators are the people responsible for making computers work in the field. They are also responsible for the uninterrupted operation of the computers to take care of the business needs. System Administrator's knowledge on System security loopholes and their implications on business they are managing, is a good asset to any Enterprise/Company. By following simple practices during their administrative functions, they can build secure systems. These also help in reporting security incidents at an early stage...

AD

Copyright SANS Institute Author Retains Full Rights

System Administrator – Security Best Practices Harish Setty Introduction:

fu ll r igh ts

System Administrators are the people responsible for making computers work in the field. They are also responsible for the uninterrupted operation of the computers to take care of the business needs. System Administrator’s knowledge on System security loopholes and their implications on business they are managing, is a good asset to any Enterprise/Company. By following simple practices during their administrative functions, they can build secure systems. These also help in reporting security incidents at an early stage and take corrective measures. Some of the best practices are discussed here, without getting =into specifics any998D particular operating system or version. Key fingerprint AF19 FA27 of 2F94 FDB5 DE3D F8B5 06E4 A169 4E46

ins

Knowledge update:

20

01

,A

ut

ho

rr

eta

Know more about security of the systems you are administering. Read appropriate security bulletins available from the vendors, user groups and security institutes on a regular basis. Subscribe for security bulletins from vendors and security advisories. Generally at the vender site you can get the information on known security bugs of their systems and possible solutions. The solution may be a configuration change or applying a patch or some times a hardware issue like replacement/upgrade. It is also important to understand each security issue with relevance to your configuration and environment. Keep track of the changes on the systems, network and business needs, which may impact system security you are administering. System and Console - Physical Security:

te



©

SA

NS

In

sti

tu

The system console should be physically protected. Make sure to install systems in a secured location where only authorized personnel are allowed. If there is physical access to system console and the computer, it is easy for anyone to break-in or misuse. Most of the systems have back door entry or procedure to break into the system, using the console. In fact, this is an essential feature to break into the system when the superuser password is lost. Secure your console from some one keep guessing superuser password at the console. • Machines need to be physically secured always. A person can simply turn off, if one has access to it. If one access to the console, he/she can interrupt the boot process and gain access. Some times it may be like booting from a floppy or CD etc. You should be cautious even if you are installing a system for temporary use or testing, before moving to the planned secured location. There is a chance that some one can misuse the system. If a hacker gains access to a system for a short period of time, he can misuse the opportunity to come back later, unless you detect and patch the hole Keyhe fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 has made. • Do not leave console logged in at any point of time, if you are away. Make a practice to logout every time after completing your job.

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.



If your system supports timeout feature for system console, configure it. When you forget to logout, it will be timed out. System administrator’s terminals or the terminals used by administrators are of high risk if they are not secured. If any intruder breaks into system administrator's terminal, there is a chance of getting access to multiple systems. System administrators generally have the habit of keeping multiple sessions/windows to different systems simultaneously to carry out administrative tasks. These terminals should be located in secured area. As an administrator, make sure to logout from your terminal or lock your screen when you are away from your terminal.

fu ll r igh ts



Keep your systems lean and mean:

NS

In

Superuser Password:

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

Key fingerprint = AF19 FA27 2F94 998D DE3D F8B5 and 06E4packages A169 4E46 Maintain your systems and servers with FDB5 minimum services possible. The more services and applications you are running, the greater risk of exposing the system for any exploitation of the system. • During Operating System installation, try to minimize the components/packages. Install only essential components, which are required for running the services and applications, for which the system is intended. Always you can add additional components when they need for running additional services and applications. Similarly when ever you remove an application or a service on a system, remember to uninstall operating system components, if they are not used by other applications. • Remove any extra service running on the system, which is not being used. Procedure for turning off a particular service varies depending upon the operating system and administrative tools you are using. Some times it may be turning off a particular switch in GUI or editing /etc/inetd.conf file, etc. • Close unused TCP/UDP ports. Any open TCP/UDP service offers an attacker a possible entry into your system. Having any port open that is not absolutely necessary, then, should be avoided. Procedure to verify the open ports depends on the Operating System you are administering. Some of the procedures are checking the configuration files, using netstat utility, using port scanners, etc.

©

SA

System Administrators should be very cautious about root password or Administrator password. • Use lengthy password. More characters are better as long you can remember and the operating system supports. • Make password easy for you to remember and hard to guess for others and use nondictionary words. • Never store password as plain text or write down on paper. Use encryption utilities if you have to store in a file for some reason. • Use mixture=of upperFA27 and 2F94 lower998D characters. Key fingerprint AF19 FDB5 DE3D F8B5 06E4 A169 4E46 • Insert punctuation marks or symbols like {, ^, #, @, $ etc. • Configure password-aging feature, if available in the operating system. Minimum age and Maximum age has to be decided, depending on the environment.

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.



Use shadow password feature, if available on Unix systems. This will prevent some one who try to gain root access using a cracker, if encrypted passwords in /etc/passwd file is readable. Cracker is a program/utility, which could methodically test each encoded password in the file against their dictionary of commonly used passwords.

Delegating superuser tasks:

ins

fu ll r igh ts

Some times you may need to give users the ability to use or access privileged commands. It is not a good idea to give complete privilege to the users. Instead you have to limit the permission to the tasks or commands they suppose to run. If the operating system you are supporting is trusted, you can take advantage of this feature. Assign appropriate privileges to the required users. HP, IBM, SCO offer trusted operating systems, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 developed by SecureWare in addition to their standard Unix variants. In 4E46 some Operating Systems, you have to enable this mode, as default may be non-trusted mode.

20

01

,A

ut

ho

rr

eta

If the operating system is not trusted, you may have to share the super user account or you have to give superuser password temporarily. Generally in Unix systems administration privileges are all or nothing. Here is a risk that someone will abuse his or her superuser status, the superuser account. When someone logs in as Superuser using the superuser password, it is impossible to trace an act of misconduct based on who logged into the computer. If the root account is a shared account, more number of people will have superuser privilege. In that situation, the more anonymity any one person has to abuse the system. In these situations, you may use sudo (Super User DO) utility. Sudo is a public domain program, which provides a flexible solution for delegating superuser privileges. You can give partial or complete root privileges to particular user. Also it logs every time these privileges are used.

tu

te

User Passwords:

©

SA

NS

In

sti

Good password scheme/policy is one of the basic security measures to prevent unauthorized access. However, setting up a policy on paper and encouraging your user to adhere to the policy will be difficult. Because most users want to have a password which is easy to remember and don't want to change. When you are managing user accounts, certain policies can be implemented so users have to follow them. The exact policy, which you can enforce, depends upon the operating system and version and business need. • Password Aging: Setting password aging policy allows you to enforce the user to change his/her password periodically. You can define the minimum age, maximum age for user to change his password. • Minimum Length: Enforce a minimum length of password to at least 6 characters. • Non-dictionary words: If the operating system supports this feature, user is not allowed to select any password as a word from standard dictionary. Key fingerprintUniqueness: = AF19 FA27 2F94 998D FDB5 DE3D setting F8B5 06E4 A169 • Password The Password uniqueness allows you4E46 to specify the number of new passwords that user must select before they can reuse one that they have used previously.

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.



New Password: In some environments, you can set minimum number of characters should be different in new password from the previous password, when user tries to change password.

ins

fu ll r igh ts

User Terminals: • Unattended user terminals or when the user is away from his desk, there is possibility of misuse, by some one. If the terminals support timeout or screen lock out feature, implement it. It is basically locking the terminal if the terminal is idle (no keyboard activity) for certain period of time. When user comes back or wants to continue working, he/she has to unlock the screen or terminal with password. • Set password lockout feature, if the operating system is capable, or use any utility. Here the user terminal or user account will be disabled after a set number of Keyunsuccessful fingerprint = login AF19attempts. FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 This is a simple measure to protect against someone who keeps guessing password. You have to decide the parameters judiciously.

NS

In

sti

tu

te

20

01

,A

ut

ho

rr

eta

Restrict Users: • If users of the system are not logging in from the console or terminals connected directly to the system, you have to be more cautious. You have to configure your systems to accept connections from only known I.P Addresses. In case you have to allow dial-in access to your users, you should have additional level of security like RADIUS or allowing only known telephone numbers etc. In some situations like web servers, this may not be practical. Then, you have to restrict by other means like passing user connections through firewall or VPN etc. If possible, it is good idea to restrict users by their source IP address or the time slot they are suppose to work on the system. This is an additional level of security for your system. Some of the operating systems have built-in features to enable this kind of restriction. If these features or not available, you may have to use additional tools and utilities like tcp wrappers, ssh etc. • If the Operating System allow you to control user's environment, make use of it. For all common users, unless required, do not provide more access to the system resources than he/she suppose to do. To name a few, allowing application users only to log in through the application window (no shell or telnet access), configuring Restricted Shell for ordinary users etc.

SA

User Education:

©

System administrator is the first level contact for users in the organization for system support. (Some times it is help-desk person). It is good idea for a System Administrator to educate users and help-desk personnel about basic security issues and practices to follow, either formally or informally. This will help in building secured systems. It is advantageous if the users are aware of the security issues and implications. Some of the best practices for users are, not to leave terminal logged in, not to share password with Key = AF19 FA27 2F94 998D FDB5 DE3D A169 on 4E46 somefingerprint one, changing password periodically, not to writeF8B5 down06E4 password paper, to use non-dictionary words for passwords etc. As a System Administrator, you will be aware of specific things in your environment, to educate users.

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.

Keep your systems up to date:

fu ll r igh ts

Security patches from the system vendors can close most of the known security holes. Also called as Service Pack in some cases. After applying the latest security patches, you should stay update for new release of patches from the vendors of your systems. Whenever new security patch is available, you should carefully study the details of vulnerability and its impact on your systems and environment. Depending upon the risk you may decide how soon you have to install/apply those patches, because some times applying patches involves down time of the systems. Subscribing to vendor’s patch release bulletins and having support contracts with vendors is one way to make sure to get latest information automatically.

eta

ins

You fingerprint may adopt= AF19 different strategies when applying patches Key FA27 2F94 998D FDB5 DE3D security F8B5 06E4 A169suitable 4E46 to your system infrastructure. One method is to apply each and every security patch available to your operating system and applications you have. Other method is to verify the need of a particular patch to your system and install if required.

rr

Vulnerability Testing:

sti

tu

te

20

01

,A

ut

ho

Prevention is better than cure. As a System Administrator, if you are aware of the vulnerabilities, you can take corrective action, before some one exploiting them. There are many security vulnerabilities that are specific to the operating systems. There are tools available which scans the system and report security problems. Periodically scan your systems using appropriate tools like tiger (for Unix), WebTrends (for NT), etc. After getting the report, you have to analyze each vulnerability; about it's impact in your system environment. If it security risk is serious, take corrective action immediately. Otherwise you can plan for an earliest time slot, if the corrective action requires scheduled downtime of the system. And also scan the system after fixing the vulnerability to make sure. Many of the tools report each vulnerability with explanation and recommendations for corrective action.

In

Monitor your systems periodically:

©

SA

NS

Maintain system logs on your system, particularly if it is multi-user or networked. Configure for logging maximum information possible and also for a reasonable period of time. Depending upon the Operating System, the procedure may be as simple as touching (creating) a file or some times installing additional components of the Operating System. In some environments it may be installing and turning on audit subsystem, etc. Having huge amount of logs, can any we read these large files always? The remedy is to use Log Analyzers. Some Operating Systems have built-in Log Analyzers or audit tools. If not, use additional tools. Basically Log Analyzers are programs that read log files and reports the summary or statistics either in graphic or tabular form. You can also use these Key toolsfingerprint for analyzing = AF19 trends FA27on2F94 your998D system, FDB5 sending DE3D F8B5 pre-defined 06E4 A169 Threshold 4E46 Crossing Alarms, Login attempts and failures etc.

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.

fu ll r igh ts

Monitor for any unauthorized modification of system files and configuration files. You may use scripts or tools to see any files being created/deleted or permissions and ACLs being modified. Here the primary idea is to build a database of, file size, file permissions, digital signature, number of files etc, on the file system. Keeping this as a reference, compare these attributes at a later date, for any change. If the change is genuine and authorized, it is fine. Other wise you have to investigate it further. Tripwire is one such tool, available on most of the Operating Systems today. Tripwire checks to see what has changed on your file system and give an extensive report. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.

rr

eta

ins

Configuration documentation: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 It is a good practice to document any change in the system configuration either hardware or software. This is very helpful in situations like disaster recovery, detection for an intruder, trouble-shooting etc. If you have several System Administrators, it is more important to have every thing documented. It is recommended to maintain additional copy of the documentation on different machine or as a hard copy.

ho

Backup and Disaster Recovery:

©

SA

NS

In

sti

tu

te

20

01

,A

ut

In spite of reliable hardware, software and administration, there are times when systems crash or fail. The failure may be due to hacking also. Always good system administration involves reliable backup and recovery procedure. Depending upon the business need, you have to plan backup procedures. You may use built-in backup and recovery tools in the Operating System or dedicated software from a different vender. Some times you may require, an additional hardware for backing up the data. Some of the important facts to consider while planning backup are, • How frequently you have to back up data and what is the best time to backup • How much data to be backed up • Off-site storage of the data in case of catastrophe • How long the backup data to be stored • Security of the backup data: Backup media should be stored in a secured place. If the data is stored on-line, securing the data from a hacker/intruder is equally important. • Good documentation for backup and recovery procedure Many of the considerations depends upon the business need and the corporate goal. Any backup and disaster recovery plan/procedure is not complete unless it is tested. Periodically you have to test if the data recovery is working. When you are planning for backup and disaster recovery, basic rules are, how fast you have to rebuild the system to the latest working state, if the entire system is destroyed and how much data you can afford to lose. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.

Conclusion:

fu ll r igh ts

As information infrastructures and Internet became more complex and larger, it also became critical to maintain systems up and running all the time. Though the system administration tasks became easier in recent years, system administrators need to be more updated on the systems and networks they are managing. In recent years, as systems are exposed to Internet, there is increased challenge on the System Administrators to maintain these systems and protect from hackers. If the System Administrators are more security cautious and follow good practices during routine administrative tasks, we can have secured systems. This also helps any organization to be prepared in the event of any security violation or disaster. References: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

©

SA

NS

In

sti

tu

te

20

01

,A

ut

ho

rr

eta

ins

1. Seifried, Kurt. “Linux Administrator’s Security Guide”. URL: http://www.ibiblio.org/mdw/LDP/lasg/ 2. Albano, Daniel. “The Challenge of Computer Security”, September 1996. URL: http://www.magi.com/~mmelick/it96sept.htm 3. “Top Ten Best Practices for Unix System Administrators”, March 11 1999. URL: http://www.more.net/security/unix10.html 4. Kessler, Gary. “Security Tools For Windows NT Networks”, April 1999. URL: http://www.garykessler.net/library/nt_security_tools.html 5. Allen, Julia. “The CERT Guide to System and Network Security Practices” Addison Wesley. 2001. 6. Beale, Jay. “Tripwire – The Only Way to Really Know”. URL: http://www.securityportal.com/topnews/tripwire20000711.html 7. “Managing Root Access with Sudo“, November 25 2000. URL: http://unix.about.com/library/weekly/aa102500a.htm 8. “What are the major differences between trusted and non-trusted systems?” URL: http://www.faqs.org/faqs/hp/hpux-faq/section-66.html

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2001,

As part of the Information Security Reading Room.

Author retains full rights.

Last Updated: April 16th, 2018

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Seattle Spring 2018

Seattle, WAUS

Apr 23, 2018 - Apr 28, 2018

Live Event

Blue Team Summit & Training 2018

Louisville, KYUS

Apr 23, 2018 - Apr 30, 2018

Live Event

SANS Doha 2018

Doha, QA

Apr 28, 2018 - May 03, 2018

Live Event

SANS Riyadh April 2018

Riyadh, SA

Apr 28, 2018 - May 03, 2018

Live Event

SANS SEC460: Enterprise Threat Beta Two

Crystal City, VAUS

Apr 30, 2018 - May 05, 2018

Live Event

Automotive Cybersecurity Summit & Training 2018

Chicago, ILUS

May 01, 2018 - May 08, 2018

Live Event

SANS SEC504 in Thai 2018

Bangkok, TH

May 07, 2018 - May 12, 2018

Live Event

SANS Security West 2018

San Diego, CAUS

May 11, 2018 - May 18, 2018

Live Event

SANS Melbourne 2018

Melbourne, AU

May 14, 2018 - May 26, 2018

Live Event

SANS Northern VA Reston Spring 2018

Reston, VAUS

May 20, 2018 - May 25, 2018

Live Event

SANS Amsterdam May 2018

Amsterdam, NL

May 28, 2018 - Jun 02, 2018

Live Event

SANS Atlanta 2018

Atlanta, GAUS

May 29, 2018 - Jun 03, 2018

Live Event

SEC487: Open-Source Intel Beta Two

Denver, COUS

Jun 04, 2018 - Jun 09, 2018

Live Event

SANS Rocky Mountain 2018

Denver, COUS

Jun 04, 2018 - Jun 09, 2018

Live Event

SANS London June 2018

London, GB

Jun 04, 2018 - Jun 12, 2018

Live Event

DFIR Summit & Training 2018

Austin, TXUS

Jun 07, 2018 - Jun 14, 2018

Live Event

SANS Milan June 2018

Milan, IT

Jun 11, 2018 - Jun 16, 2018

Live Event

SANS Crystal City 2018

Arlington, VAUS

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Cyber Defence Japan 2018

Tokyo, JP

Jun 18, 2018 - Jun 30, 2018

Live Event

SANS Philippines 2018

Manila, PH

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS ICS Europe Summit and Training 2018

Munich, DE

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Oslo June 2018

Oslo, NO

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Cyber Defence Canberra 2018

Canberra, AU

Jun 25, 2018 - Jul 07, 2018

Live Event

SANS Minneapolis 2018

Minneapolis, MNUS

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS Paris June 2018

Paris, FR

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS Vancouver 2018

Vancouver, BCCA

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS London July 2018

London, GB

Jul 02, 2018 - Jul 07, 2018

Live Event

SANS Charlotte 2018

Charlotte, NCUS

Jul 09, 2018 - Jul 14, 2018

Live Event

SANS Cyber Defence Singapore 2018

Singapore, SG

Jul 09, 2018 - Jul 14, 2018

Live Event

SANSFIRE 2018

Washington, DCUS

Jul 14, 2018 - Jul 21, 2018

Live Event

SANS Baltimore Spring 2018

OnlineMDUS

Apr 21, 2018 - Apr 28, 2018

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced

Loading...

System Administrator - Security Best Practices - SANS Institute

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is...

81KB Sizes 0 Downloads 7 Views

Recommend Documents

information security training - SANS Institute
courses are developed by industry leaders in numerous fields, including network security, forensics, ... Security Direct

AWS Security Best Practices
consist of an access key ID and secret access key) to use when you make programmatic calls to AWS using the command ....

SANS Institute
If you do not know the answers to these questions, SEC401 course will provide the information security training you need

SANS Internet Storm Center - SANS Technology Institute
SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring d

Information Classification - SANS Institute
28 Feb 2003 - Many companies consider initiatives like risk analysis and information classification, which tie protectio

Welcome Flyer - SANS Institute
Chicago 2012. The Palmer House Hilton Hotel • Chicago, IL • Oct 27 - Nov 5, 2012. RegistRation. Location: 6th Floor

Physical Security and Why It Is Important - SANS Institute
Hacking into network systems is not the only way that sensitive information can be stolen or used against an organizatio

Implementing an Effective IT Security Program - SANS Institute
Aug 26, 2002 - Document an entity-wide security program plan. 3. Establish ... necessary. This paper will use this frame

Virtual LAN Security: weaknesses and countermeasures - SANS Institute
What can be done in order to increase VLAN security? In a first step we got familiar with the different in terms of stra

Hash Functions - SANS Technology Institute
We have described a number of cryptography algorithms that are employed for different applications that enable secure co