Slashdot Mirror
Just How Effective is System Hardening?
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
/. is just the place to come for advice on "system hardening."
System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
Ubiquitously - A Ubiquity Developer Community
The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.
I use Ubuntu 8.04. It's hardy out of the box.
Aych tea tea pea colon slash slash slash dot dot org slash
Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?
Power corrupts. Absolute power...is even more fun.
System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I've used the network equipment guides to harden routers and switches before and they are very handy.
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
My blog
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
The Windows XP guide is also available, though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.
Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.
I read the internet for the articles.
A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?
You could always bring in a lappy and do like this guy did ...
Kevin Smith on Prince
The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
"Growing old is inevitable; growing up is optional."
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.
You might try (on a test box) the security information/tools CIS (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.
You can do that with group policy, but its very time-intensive. Basically, you whitelist your approved binaries by filename with a hash to ensure people don't just rename their game "explorer.exe"
Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:
... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help
illum oportet crescere me autem minui
The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
If your IT admins locked the system down to the point that you can't get work done, they have failed and you, or your boss, have the obligation to raise the issue.
Responsible IT departments will can configure your systems while still allowing you to work. mike
Hardening has been around for years
SELinux
RSBAC
PaX
Grsecurity
Bastille
apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
IranAir Flight 655 never forget!
Probably. What risk does it introduce, which you didn't already have?
The situation simply cannot get any worse from the perspectives of security and trust, so what is the downside? You might as well let NSA patch things to oppose their competitors' access. A machine with one master that is potentially hostile to you, is better than a machine with multiple masters that are potentially hostile to you.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.