Unformatted text preview: VNSA220 VNSA220 Cyber Self Defense
Best Practices! © Daryl G Johnson 2006 Rev. Ben Woelk 2008 What are “Best Practices”? What are “Best Practices”?
• A generally accepted “best way of doing a • • • •
thing” Assembled from experience Based on case studies Guidelines and suggestions Popularized in In Search Of Excellence by Tom Peters Plethora of Standards Plethora of Standards
• • •
NIST SP 800 Series ISF Information Security Forum Federal Financial Institutions Examination Council's (FFIEC) • PCI Payment Card Industry I’ve been hacked best practices I’ve been hacked best practices • NIAL – Notifiy technical support, financial institutions, credit – Inspect Use a firewall and enable logging to track – Action monitor credit reports, change all passwords, – Law Enforcement File a police report, contract your state attorney general, report theft to Federal Trade Commission place fraud alert on credit report activity (host based and/or network based) card companies (Windows) Desktop best practices (Windows) Desktop best practices
• • • •
Turn off AutoRun/AutoPlay Use a login banner Don’t run as administrator Patch and harden before going online * Don’t use Windows! AutoRun/AutoPlay AutoRun/AutoPlay
• Different than “Auto Insert notification” • When a removable device is detected causes your system to automatically
– look for a script named “Autorun.inf” – execute that script without asking you • Can install or run software without your knowledge To turn off AutoRun/Play To turn off AutoRun/Play
• For Win2k,XP,2003
– Start>Run “GPEDIT.MSC” – Local Computer Policy • Computer Configuration – change the "Turn off Autoplay" item to "Enabled".
– Administrative Templates System Logon Banner Logon Banner
• Doubleclick Administrative Tools / Local Security Settings / Local Policies / Security Options • Set Interactive logon: Message text for users attempting to log on to banner message • Set Message title for users attempting to log on to banner title • Logoff/Logon to test Banner Message Banner Message
This is a ABC Corp. computer system. This computer system, including all related equipment, networks, and network devices (specifically including Internet access),is provided only for authorized ABC Corp. use. ABC Corp. computer systems may be monitored for all lawful purposes, including ensuring that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized ABC Corp. entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this ABC Corp. computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
www.epublishing.af.mil/pubfiles/af/33/afi33219/afi33219.pdf Banner Message Banner Message
You have entered a restricted area. Use of deadly force is authorized. Limited Administrator use Limited Administrator use
• Use run as command as necessary • Start > Application (shiftright click) – Select run as – Click following user – Enter desired user account name (You may need to enable RunAs service in XP or 2000 http://support.microsoft.com/kb/294676) Avoiding SpamSophos list Avoiding SpamSophos list
• Never make a purchase from an unsolicited email • If you do not know the sender of an unsolicited email message, • • • • • •
delete it Never respond to any spam messages or click on any links in the message Avoid using the preview functionality of your email client software When sending email messages to a large number of recipients, use the blind copy (BCC) field to conceal their email addresses Think carefully before you provide your email address on websites, newsgroup lists or other online public forum Never give your primary email address to anyone or any site you don't trust Have and use one or two secondary email addresses Avoiding Phishing—Sophos list Avoiding Phishing—Sophos list
• Never respond to emails that request personal • • • • • •
financial information Visit banks' websites by typing the URL into the address bar Keep a regular check on your accounts Check the website you are visiting is secure Be cautious with emails and personal data Keep your computer secure Always report suspicious activity Viruses best practice? Viruses best practice?
• http://www.youtube.com/watch?v=kGaRKDszY • http://www.educause.edu/SecurityVideoContest2009 • Cash prizes will be awarded to the winners in each of the – The gold winners will receive $1,000. – The silver winners will receive $800. – The bronze winners will receive $400. four categories (posters, training videos, 30second public service announcements, and combined poster and video entry). Video sources Video sources
• • •
University of Tennessee Weird Al http://www.educause.edu/SecurityVideoConte Technical details Technical details
• How to implement various best practices Sharing Files Sharing Files
• Administrators and Power Users can create shares
– must have at least Read permission on the folder – users with Create Permanent Shared Objects rights – Only when “simple file sharing” is disabled • NTFS permissions Share permissions – – – Full Control Change Read
– – – – – – Full control Modify Read & Execute List folder contents Read Write • Share permissions Share permissions
• • • • • •
independent of NTFS affect only remote users combine with NTFS permission do not affect local users, only NTFS permissions superseded by more restrictive NTFS permission EX. Full Control (share) + Read only (NTFS) = Read Only for remote The Default permissions on a share The • Gives the Everyone group Full Control • Must explicitly edit security permissions on shared resources • NTFS permissions will be the only thing determining what access remote users have Setting Share Permissions Setting Share Permissions
• To create a share and set security permissions:
– In explorer, right mouseclick on the folder that is to be shared. – Select the Sharing and Security… menu option – Click the Share this folder radio button. – Specify the Share Name. – Click the Permissions button. – Add, remove, or edit the users and/or groups in the access control list for the share. Share Security Recommendations Share Security Recommendations
• When creating shares and share permissions, adhere to the following criteria when possible:
– – – – – – – “Everyone” group is not given any permissions Use the Authenticated Users or Users groups instead Give minimum amount of permissions needed Hide shares by placing a $ after the share name but must explicitly enter the full path will not be visible in Network Neighborhood Security by obscurity • Can connect to hidden shares MS Tools for Monitoring Shares MS Tools for Monitoring Shares
– Control Panel • Administrative Tools • Control – Computer Management System Tools Shared Folders – Shares – Sessions – Open Files Metawhat? Metawhat?
– Data about data – Information about the data, user, … – Word, Excel, Adobe, … – Usable for searching, organizing and third party tools – Change tracking and multiple author co ordination MS Word Metadata MS Word Metadata
• • • • • • • • • • • • • •
Your name Your initials Your company or organization name The name of your computer The name of the network server or hard disk where you saved the document Other file properties and summary information Nonvisible portions of embedded OLE objects The names of previous document authors Document revisions Document versions Template information Hidden text Comments Local relative link paths (HTTP,…) Metadata sharing?!? Metadata sharing?!?
• • • • •
MSWord stores the names of the last 10 authors Automatic feature that cannot be disabled Can remove metadata by saving in a format that does not retain such info RTF (Rich Text Format) or HTML format Download MS tool “rhdtool.exe”
– http://www.microsoft.com/downloads/details.aspx?familyid=144E54ED D43E42CABC7B5446D34E5360&displaylang=en Who’s using your computer? Who’s using your computer?
– Gpedit.exe > Local Computer policy • Computer configuration
– Windows settings Security Settings Local Policies Audit Policies • • • Audit Account Logon Events Audit Logon Events Success and/or Failure Event Viewer Event Viewer
• Administrative tools • Security log
– Event viewer Reference Reference
practice/ org/sgp/othergov/dod/nsaredact.pdf • http://www.sophos.com/security/best ...
View Full Document
- Fall '08
- best practices, permissions Share permissions