Systems Engineering Archives - Page 5 of 5

Archive for the ‘Systems Engineering’ Category

Baking in security with a technology, practices, projects approach

Posted September 22, 2005 by Wolf Goerlich

How can we keep our IT systems secure?

It comes down to baking in the security from the beginning. Each new technology initiative is an opportunity to increase our overall security.

So we get a new project. In the beginning phases, while evaluating projects, we push to ensure that security is a consideration and that the vendors are asked about the security features as well as the functional features. Once the technology is selected and purchased, we work with the project team to ensure that security steps are included in the project plan. We pull the software in-house, install it, beat up on it, and assess for any vulnerabilities. When the project completes and the system is released to the end-users, it goes out the door in a secure state.

Such a secure state comes in part from experience, in part from training, and in part from industry practices. Proven practices such as deployment guides or NIST publications are excellent sources of information security. As part of any project or as part of securing any technology, such practices should be tried and evaluated. The goal is to apply not only what we know works, but also what the industry has found to work.

Researching and applying proven practices needs to be a task in every technology project. Take a Linux or a Windows server, install the new software for the project, and apply best practice guidance to it. At the very beginning of the project, lock down files and registry keys. Work thru any issues that the security may cause early on in the project before other departments get involved. The result is a system as tight and neat as is possible. By baking these steps into the project plan, we ensure that new systems come online securely.

Security is technology, practices, and project-centric.

Load balance SSH

Posted June 29, 2005 by Wolf Goerlich

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

You setup a couple servers with SSH and load balance these. Then, Linux users start reporting they are seeing “It is possible that someone is doing something nasty!” Windows users say that PuTTY is complaining “Warning – potential security breach!” Why?

SSH uses a RSA private/public key pair. The public key is saved on the client as the SSH server fingerprint. Linux users can find these keys under ~/.ssh/known_hosts and ~/.ssh/known_hosts2. Windows users can find the keys in the registry under [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHo stKeys]. The errors occur when two (or more) SSH servers use the same FQDN but use different private keys.

This is the same thing we see when we load balance Web servers. The workaround there is to export the private/public certificate from one computer, and apply it to all computers in the load balanced set. The clients then receive the same certificate regardless of which computer they connect their Web browser to.

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are/etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by a single load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

The server’s host key does not match the one PuTTY has
cached in the registry. This means that either the
server administrator has changed the host key, or you
have actually connected to another computer pretending
to be the server.
The new key fingerprint is:
ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
If you were expecting this change and trust the new key,
hit Yes to update PuTTY’s cache and continue connecting.
If you want to carry on connecting but without updating
the cache, hit No.
If you want to abandon the connection completely, hit
Cancel. Hitting Cancel is the ONLY guaranteed safe
choice.

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

Posted June 29, 2005 by Wolf Goerlich

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are /etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by asingle load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

Spot problem Windows Servers (automatic updates)

Posted May 7, 2005 by Wolf Goerlich

If the Windows Server uptime is more than 30 days, then the server is a problem child. That’s a basic rule of thumb.

Windows Updates come out every month. Every month, a Window Server should be updated and rebooted. If it is not, then there is a problem.

One way to check for this is to match the current crop of updates to the applied updates on the server. This can take a bit of time and gives a better indication of the server state. A quicker way is to scan for Servers with uptime >= 30 days.

Below is a basic script that checks and reports the uptime. It’s trivial to modify into a problem child scanner.

Bonus tip: reboot your servers both before and after the updates. This minimizes problems applying the updates that may occur when files are open or processes are hung.

Happy patching.

‘—————————————————————–
‘
‘ Name: uptime.vbs
‘
‘ Author: J Wolfgang Goerlich
‘ Date: 2005-05/07
‘
‘ Description: Report uptime and possible concerns
‘
‘—————————————————————–

Option Explicit

‘ Dimension variables

Dim wmi ‘ SWbemServices, WMI interface
Dim wns ‘ WMI namespace
Dim wql ‘ WMI Query Language
Dim computer
Dim oShell
Dim results
Dim os
Dim D, H, M, S

‘ Get the computer name

Set oShell = WScript.CreateObject(“WScript.Shell”)
if WScript.Arguments.UnNamed.Count >= 1 then
computer = Trim(LCase(WScript.Arguments(0)))
else
computer = LCase(oShell.ExpandEnvironmentStrings(“%ComputerName%”))
end if

‘ Get the uptime

wns = “winmgmts:\\” & computer & “\root\cimv2”
wql = “Select SystemUpTime From Win32_PerfFormattedData_PerfOS_System”

Set wmi = GetObject(wns)
Set results = wmi.ExecQuery(wql)

For Each os in results
S = os.SystemUpTime
Next

‘ Report the uptime and status

M = S \ 60 : S = S Mod 60 : H = M \ 60 : M = M Mod 60 : D = H \ 24
Wscript.Echo “Computer: ” & computer
Wscript.Echo “Uptime: ” & D & ” Days, ” & H Mod 24 & ” Hours, ” & M & ” Minutes”
If D >= 2 then Wscript.Echo “Problem child!”

Detecting information leakage in Windows Server

Posted October 22, 2004 by Wolf Goerlich

Information leakage can occur when people with access to sensitive information copy the information to an insecure location. For example, a company’s financials may be stored on a file server. This server has restricted CIFS share permissions and restricted NTFS file system permissions. An employee with access copies these financials down and burns them to a CD. As there are no permissions or restrictions on the CD, anyone now has access to this sensitive information.

Detective controls exist in Windows Server and Windows XP to catch these types of situations.
Server-side

Simply setup SACL (system access control lists) permissions on the file server. Right-click the folder, choose Properties, click the Security tab and then click Advanced. On the Advanced dialog, click the Auditing tab and then click Edit. I recommend checking “List Folder / Read Data”, “Create Files / Write Data”, “Create Folders / Append Data”, and “Delete Subfolders and Files”. This will generate events in the Security logs when files are accessed. For example:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: DOMAIN\username
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume20\Share\Sensitive Files\Financials.xls
Handle ID: 20492
Operation ID: {0,1917999625}
Process ID: 4
Image File Name:
Primary User Name: SERVER$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: DOMAIN
Client Logon ID: (0x0,0x6CEC6800)
Accesses: ReadData (or ListDirectory)
Client-side

The event log will now tell you when files are opened, copied, or modified by employees. Now watch the Window desktops to see what they are doing with these files.

The registry contains a wealth of information on external storage devices. Monitor the following keys to see if external devices are being attached.

Floppy disks – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\FDC]
Firewire Devices– [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\sbp2]
IDE – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE]
SCSI – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI]
USB – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\usbstor]

Monitor other registry keys to see what programs are being run. In particular, look for bulk copy utilities, backup programs, FTP clients, CD burners, and so on. Open the user’s registry file (ntuser.dat) and browse to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist]

This UserAssist key will have several entries that represent recently used programs. Each entry is encoded (rot13) and formatted as follows: GUID, Index, ACTION, Session key, Number of times the app has executed, date time last executed. The section you want is the action. Specifically, the UEME_RUNPAT<executable> entries.

In summary, enable SACL auditing on the Windows Servers and be prepared to spot-check Windows XP clients. By combining server-side auditing and client-side forensics, you will be able to curtail information disclosure.

Tip: Identifying file types

Posted October 12, 2004 by Wolf Goerlich

Suppose you have a good chunk of binary and you are not sure what it is. The bits could be an executable, an image, a sound file, or simply random ones and zeroes. How do you identify the file?

One means is by opening the file in a hex editor and inspecting the first few bytes for a magic number. These characters indicate to the operating system and applications how to treat the files. Some common ones are 0xCAFEBAB for Java, MZ (0x4D5A) for Windows apps, and ELF (0x7F454C) for Linux executables. So there you go. Memorize a few dozen magic numbers and get quick with the hex editor.

There is a slightly easier method. Check out the File cmd in Unix, Linux, and Cygwin. “File tests each argument in an attempt to classify it. There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed.” File is rather handy and does not require memorization.

For example:

Administrator@myhome ~
$ file windows.exe
regedit.exe: PE32+ executable (GUI) x86-64, for MS Windows

Administrator@myhome ~
$ file linux.app
linux.app: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8ac30d36c853cf70fdfb9eb8182305e4ee68a609, stripped

Clearing a DNS server cache using VBscript and WMI

Posted August 3, 2004 by Wolf Goerlich

When troubleshooting a DNS server on Windows Server 2003, you may need to clear the DNS cache. This can be done from the GUI: dnsmgmt.msc, right-click the server, Clear Cache. Whacking the DNS cache can also be done from the command line: dnscmd %computername% /clearcache. Then again, you may want to clear remotely using a script (or clear a number of servers at once).

The VBScript below will clear out the cache. It uses WMI to connect to the MicrosoftDNS namespace. If that namespace does not exist, as it will not on servers that do not have DNS installed, the WMI will throw a 0x8004100E error (Invalid namespace). So the script first loops thru the available namespaces to confirm that MicrosoftDNS is present. If it is, the script connects, and executes the.ClearCache()method.

‘—————————————————————–
‘
‘ Name: dnscachecls.vbs
‘
‘ Author: J Wolfgang Goerlich
‘ Date: 2004-08/03
‘
‘ Description: Clear DNS cache using WMI
‘
‘—————————————————————–

Option Explicit

‘ Dimension variables

Dim wmi ‘ SWbemServices, WMI interface
Dim wns ‘ WMI namespace
Dim wql ‘ WMI Query Language
Dim computer
Dim oShell
Dim results
Dim namespace
Dim dns
Dim isdnsserver

‘ Get the computer name

‘ Confirm the server is a DNS server

wns = “winmgmts:\\” & computer & “\root”
isdnsserver = false

set results = GetObject(wns).InstancesOf(“__NAMESPACE”)

For Each namespace in results
if namespace.Name = “MicrosoftDNS” then isdnsserver = true
Next

if isdnsserver = false then
Wscript.Echo computer & ” is not a DNS server.”
Wscript.Quit
end if

‘ Clear the DNS cache

wns = “winmgmts:\\” & computer & “\root\MicrosoftDNS”
wql = “Select * From MicrosoftDNS_Cache”

Set wmi = GetObject(wns)
Set results = wmi.ExecQuery(wql)

For Each dns in results
dns.ClearCache()
Next

Wscript.Echo “DNS cache cleared on ” & computer

Sending Windows event logs to Syslog

Posted May 3, 2004 by Wolf Goerlich

Many network devices utilize the Syslog protocol for sending logging to centralized log management tools. But Windows utilizes a proprietary logging format in Application, Security, and System logs. How can we get these logs into Syslog?

Check out the NTsyslog project on Sourceforge. NTsyslog installs as a Windows service. Periodically, NTsyslog polls the Windows event logs. The service then re-formats the the event and sends it out over the Syslog protocol. Under the hood, NTsyslog is written in Microsoft C++ and leverages the Microsoft Foundation Class Library (MFC) to access the Win32 API. NTsyslog is available for free under the GPL license.

Strategies for allowing guest access

Posted November 13, 2003 by Wolf Goerlich

From time to time, guests and other non-employees will need access to an organization’s network. This poses a bit of risk as their equipment has an unknown security posture. It is not unheard of for a vendor to bring a fast spreading worm into an organization, and give it free reign behind the firewall. Oh it is always on accident to be sure, but there is damage nonetheless.

What are some of the strategies for allowing access while minimizing risk?

Kiosks. This falls under the “don’t do it” line of thinking. Rather than allow guest access onto the network, provide guest accounts to kiosk computers thru out the facility. Pros: no risk from infected computers; controlled environment. Cons: reduced collaboration; increased equipment costs; may cause political pushback.

Trust but verify. Dispatch a support person to scan any notebooks or media the vendor is bringing in. Ensure it meets your security standards. Have the guest sign an acceptable use policy. Pros: reduced risk of infected computers brought into the environment. Cons: increased personnel costs; decreased responsiveness time (which may translate to dollars, if the consultant cannot work; may cause political pushback.

Trust but segment. Put computers not managed by the organization onto a separate network. I have seen this done two ways. Use network-level authentication and route computers onto a wired vlan. Alternatively, use network-level authentication to block all non-managed devices, and then provide guest wireless. Either way, keep the guest traffic separate from trusted traffic.

Trust but really segment. Take the last one a few notches further. I have seen separate network switches used for guests and production. The air gap is a good measure to prevent against accidental misconfiguration. I have also seen separate Internet connections, to avoid the guest traffic competing for bandwidth.

Those are some options. Are you using one that I did not cover? Let’s discuss.