In this part, we focus on the aspect of monitoring the network. It is important to make sure that the traffic on the network belongs there.
Network Monitors aka sniffers (which is actually a trade name like Kleenex) help troubleshoot network problems. It can do much more than a simple network configuration program like ipconfig. They usually consist of a PC with a NIC running in promiscuous mode, so that the card looks at any packet that it sees on the network, even if that packet isn’t addressed to it.
They list everything that’s going on in the network and it is up to you to decide what to do with that information. In order to properly read the information (traffic) you should have an in-depth understanding of network protocols.
In addition to monitoring the traffic you should also reguralry check your event logs. They record various events that occur. On a Windows machine, these logs might be interesting for you:
|Application Log||Contains events logged by applications/ programs. Many applications redirect the error output to this log.|
|Security Log||Containts successful and unsuccessful logon attempts as well as events related to resource use such as creating, opening, or deleting files/ objects. By default it doesn’t log successes and failures, but for security reasons this should be changed.|
Linux on the other hand has these important logs:
|/var/log/faillog||Contains failed user logins|
|/var/log/apport.log||Records application crashes|
The idea behind hardening, is to “lock down” the OS as much as possible, while still beeing able to work with it. Examples of hardening are:
Without hardening other security measures are going to be far less effective (or even ineffective).
Many services are important or even critical. But there are services that can be exploited as an attack vector. It is suggested to only enable services that are absolutely required for the machine.
Example: On a Windows workstation there is no need to enable/ install the webservice (IIS), since it provides an attack vector. On a web server running windows, the IIS is needed (if you don’t use other services like apache).
Also make sure that only the needed directories are shared. Never share a “root” directory.
What services exactly you’ll need and what services you should disable depends highly on the purpose of the machine and what other software is running on it. But on servers you should disable NetBIOS, if there isn’t an effective firewall between the server and the internet.
It should be clear by now, that you shouldn’t allow normal users access to administrative applications and interfaces. For administrator users it is a good idea to log in as a user and then run the application as administrator or root.
Like with services you should only keep the software you need on a machine. A user wont need a game to be able to work, as much as a webserver doesn’t need an office suite or an accounting software. The components you’ll have to remove will vary based on your environement. But some should be removed from most systems. Like the IIS for a workstation, Powershell (if not in use) and Hyper-V (if there aren’t any WMs on the workstation).
You should always update your system. However automatically patching all machines in a network might cause some problems and could even render all (or some) of your systems nonfunctional. Patches should be first applied to a single machine and tested, because it could interfere with the functionality of some business-critical application.
There are different types of patches for windows. You can find a description of each on Microsofts TechNet.
It is important that only active accounts are operational and that they are properly managed. This means you should disable unnecessary accounts, even local accounts. Accounts that should be disabled include:
Keep in mind that different file systems have different level of security. But since most Windows OS use NTFS, you should focus on this filesystem. For the exam however you should know a little about FAT, too.