8.4.1 Ensuring a Trusted Configuration

Limiting or hiding systems is one of the means of hardening systems. Software and services can be shielded even if a host computer is discovered. We can do this using proxy hardware and software. Proxy software refers to modules that intervene between one application and another. Earlier, we mentioned the UNIX sendmail program. The proxies smap and smapd are used to help shield the UNIX sendmail system because it is very vulnerable to exploits. The sendmail system on UNIX-type systems is an email transfer and delivery facility developed around the Simple Mail Transfer Protocol (SMTP). Although sendmail is very flexible, it is a monolithic system that has been prone to security holes and uses the dangerous setuid feature. The smap proxy intercepts incoming messages and stores them in a special directory on disk. While smap must execute in privileged (kernel) mode, it does so only in that confined directory with actions that are profiled and logged. The smapd daemon program scans the hidden directory, and after initially filtering the messages, sorts them for delivery to the appropriate accounts through the normal sendmail system, or it can send messages to specific programs or accounts where additional filtering rules are applied and virus scanners are run before delivery.

In addition to proxies for exposed services, such as email, hardening computers includes removing any software that is not required on that computer for the role that it fulfills. For example, there should be no development toolkits on gateway servers. Administrators should remove all Guest accounts, change default passwords, change the login ID for Administrator on Windows systems, ensure that Windows shares are constrained, and make sure that the OS and applications patches are installed and kept up to date. Turning off unneeded services is important to hardening, but the operative word is unneeded. Turning off an important service can render a host inoperative. Needed services should be monitored, and any changes or deviations from normal patterns should be investigated. This includes seemingly innocuous anomalies, such as what appear to be legitimate services but perhaps communicating over unconventional ports, or in ways that are unexpected such as consuming large amounts of system resources (disk, processing, and/or network).

Another important hardening feature is to encrypt the data stored on disk. Some OSs have options to create encrypted partitions. Also, cryptographic tools are readily and often freely available and easy to use, such as the Cyperix Cryptainer^®, which encrypts files based on AES to obfuscate files on disk. A password is supplied to encrypt a file, and a hint is given in case the password is forgotten. To open a file, the correct password (and hence key) must be supplied. Some systems administrators purposefully change ports for systems from their defaults, such as web services that might normally be received at port 80 changed to port 8080; these should be known, documented, and monitored. Also, administrators should be aware of what should be running and using which protocol. For example, what might be a legitimate service using a transmission control protocol (TCP) might not be legitimate as a user diagram protocol (UDP). The Windows OS offers a restore point for configuration management. Administrators need to review the disk space allocated to the restore and be aware of the consequences of restoration if a system becomes corrupted.

Services on UNIX-based machines such as Linux or macOS are run as daemons, and many are started using the cron scheduling program as defined in the /etc/services file. Running the command ps as root (superuser) can show these services. On Windows, launching the Task Manager and examining the processes tab will show services. However, in both cases, not all services will be seen, nor will they be easily identified. An administrator on Windows might be able to better identify services by launching the Services.msc from the start menu’s run command, but this does not completely solve the problem either. Process monitors are needed to find all the hidden processes that might be running.

8.4.2 Password Protections

There is a cliché about the easiest way into a house being through the front door. The front door of computer systems is the login screen. Simple password protection mechanisms that are built into Windows and UNIX are often not sufficient to prevent a “crack” utility, or a man-in-the-middle attack, or using a capture and crack tool such as Cain and Abel, from breaching—even though great strides have been made in the Windows password facilities and in using shadow passwords in UNIX-based systems. If a system is exposed to a public interface such as the Internet, something more is needed for host hardening.

Improvements in securing passwords include one-time passwords, tokenized passwords, or various types of challenge-response passwords. A one-time password system creates a list of passwords in which one copy is stored on the host computer, another copy is given to the user (either electronically or on paper), and each subsequent login uses a different password from the list. One-time passwords generally cannot be guessed if the passwords are chosen at random or from a well-guarded source. The downside of one-time passwords is that they are quite inconvenient because the list must be consulted at each login, and the list must be kept secure, and once the list is used up, a new list must be generated.

Leslie Lamport developed an interesting technique in the 1980s, which uses a server to keep a database of user logins. In this approach, the name of the user is used for authentication. An integer is decremented each time the user logs in, and a function is performed that produces a hash of the password n times, called repeated hashing. A simplified description of repeated hashing works as follows: If Mike wants to log into Dan’s machine, he supplies his username to Dan; Dan’s machine then sends n to Mike. Mike’s computer generates function, fn-1 (Mike’s password) and sends that to Dan’s machine (we will call this x). Dan’s machine then computes f(x), which is fn (Mike’s password) and compares it to the entry in the database. If the entry in the database matches the result of f(x), Dan allows the login, decrements n, and stores fn-1 (Mike’s password) in the database. S/Key is probably the most commonly recognized repeated hashing algorithm, which was developed by Phil Karn. Other repeated hash algorithms have been developed using different hash functions, such as Message Digest 5, or MD5.

8.4.3 User Authentication

Earlier we presented some aspects of how authentication is done via native OSs, but realize that there are other software add-ons to augment this capability. Where user login IDs and passwords are used for identification, to harden a system the user cannot be taken at his or her word—so the user must be authenticated. Authentication strives to determine whether you are who you really say you are. Of course, a user in this sense is a process executing on behalf of someone and is not a real person. Electronic tokens in Kerberos is an example of how users can be authenticated. From a Kerberos implementation view, tokens are devices that generate a password for a “real” user. Because an intruder can fake his or her way into a conversation, Kerberos precludes this by synchronizing the token with other computers in the communications and then changes passwords on the devices at varied intervals measured in seconds.

While this technique makes it quite difficult for an imposter to fake the identity of an authentic user, the security of the system depends on the security of the token, and a lost token equates to a lost password. Kerberos is one popular method for authentication as we mentioned, but it is not the only one. Other authentication approaches including challenge–response schemes, which as with repeated hashing, the machine that a user attempts to log on to generates some specific information for use in subsequent communications. The information generated is processed either as a token by the user or the user’s system to provide a secret code exchanged between the communicative parties. In the latter case, the user needs a physical security ID device, such as an RSA token that plugs into the computer. The code is only good once, and only for a short time, less than a few seconds.