-
Enquiries@iCloud9.co.uk
-
Phone: 01253 304255
- 23
Mar
Developing a Security Strategy
Contents
Distributed Denial of Service (DDoS) Protection. 4
Network Address Translation (NAT). 5
Microsoft Baseline Security Analyzer. 13
Report 1
Introduction
A Web Hosting company has asked for a report based on different types of security mechanisms for a range of windows based web servers and applications. This report will identify how best to secure the servers and applications and will also evaluate any industry standard counter-measure solutions.
Distributed Denial of Service (DDoS) Protection
Incapsula (2015) states that Denial of Service (DoS) attacks are attempts to make a website and servers unavailable to ordinary and legitimate users.
Incapsula (2015) explain that DoS attacks utilise a single internet connection to exploit known software vulnerabilities such as an unpatched operating system to flood the target with fake requests in an attempt to utilise all the CPU and memory of that server thus incapacitating it. According to Cloudflare (2015) Denial of Service (DoS) attacks are evolving and increasing to include Distributed Denial of Service (DDoS) and Distributed Reflector (DRDoS) attacks.
Cloudflare (2015) states that these are attacks that cannot be protected against by traditional on premise solutions and provide an answer in the use of geographically distributed filtering networks. Cloudflare (2015) goes onto explain that most DDOS attacks target layer3, the network layer, and layer 4, the transport layer. According to Cloudflare these attacks overwhelm the target network’s ability to handle all the traffic.
Akamai (2015) agree with this and both companies answer is to set up geographically distributed networks around the world which are able to filter the traffic and ensure only legitimate traffic gets through to the protected servers. (See Appendix A)
Cloudflare (2015) show that various forms of attack have been seen over the years such as DNS amplification, SYN/ACK attacks, SMURF attacks and the latest Layer 7, Application layer attacks, all utilising various weaknesses in the TCP/IP protocols however the new solutions now on the market are able to limit if not extinguish the impact these attacks have on a target network.
Firewalls
According to Zen (2015), two types of firewall are Stateful Packet Inspection (SPI) firewalls and Deep Packet inspection (DPI) firewalls.
Zen (2015) explains that SPI firewalls inspect each packet comparing the source and destination ports and IP addresses to ensure the traffic is allowed. However this only controls incoming traffic and is unable to see inside the data packet to check on exactly what the packet contains. Zen (2015) goes onto explain that this is where DPI firewalls have an advantage over SPI firewalls as they are able to examine each data packet, searching for illegal statements and defined criteria. This type of firewall can guard against Trojans, spyware and malware.
However SonicWall (2014) suggest that DPI Firewalls require dedicated hardware as routers and software firewalls are incapable of providing the speeds necessary to allow for real time deep packet inspection.
Network Address Translation (NAT)
Cisco (2014) explains that NAT allows multiple computers connected on a private network to access the internet using one or a few publicly accessible IP addresses (See Appendix B). This effectively masks the fact that there are many computers connected to the internet via this IP address. Pearson (2016) adds that NAT also has the additional benefit of conserving IP addresses as there is only a limited number available (approx. 4 billion)
Gibson Research Corporation (GRC) (2006) admit that NAT routers are not purchased for their inherent security benefits however they argue that NAT routers do function as effective hardware firewalls. GRC go onto explain that they prevent unsolicited, unexpected and unwanted potentially dangerous traffic from accessing the local PC’s on the local area network (LAN).
The reason they do this, GRC (2006) explains is that the NAT router creates a table of all conversations each PC on the internal LAN opens with external devices and therefore when any incoming external packets require access through the NAT firewall it simply checks this table to ensure it is a current connection that is already entered in the table. If any data arrives at the NAT router that is not in the “current connections” table then it is simply ignored. (see Appendix C)
Demilitarized Zones (DMZ)
Cisco (2015)explains that a DMZ is a sub-network that has been configured to allow the public access to services provided by systems within that sub network such as email and web servers. This ensures that the public do not have access to the internal private network where more private data may be stored.
DMZ’s can be configured using one or two separate firewalls, if one firewall is used then according to Pearson (2012)one of the internal ports must provide physical isolation from the rest of the ports and all communication from the DMZ interface must first be filtered through the internal firewall (See Appendix D).
GRC (2006) show that if two firewalls are employed then the public facing servers should be placed on an internal interface of the router that is attached to the Internet (see Appendix E). GRC (2006) explains that this allows for a second router to be placed on one of the remaining internal ports and equipment attached to this second router will then be protected by multiple firewalls.
GRC (2006) go onto state that whilst the first router must be configured to allow packets such as SMTP, in the case of a mail server, or HTTP in the case of a Web server, this second router should be configured to block any incoming unsolicited traffic thus ensuring that the private LAN is secure.
Hardening
According to Smyth (2010) Hardening involves the process of securing three main areas to reduce the risk of attacks. These are the operating system, the network and the applications.
Prowse (2010) explains that Operating system hardening can be carried out in many ways for instance by removing non-essential services. This reduces the possibilities of hackers finding a way in. Another method is to keep the operating system patched and upto date which ensures that any of the latest weaknesses found in the Operating system have been fixed. Strong Password security such as 30 day renewals, enforcement of strong passwords and disabling of accounts after repeated failed login ensures on of the hackers favorite methods, the process of using brute force to guess the password, is eliminated. Prowse (2010) Continues to explain that additionally any unnecessary accounts, such as guest, should be disabled. Access to files and directories should be controlled and where data is very sensitive file and file system encryption features should be enabled. Finally the logging of failed and successful login and access attempts will provide useful information.
Eweek (2002) shows that application hardening uses similar techniques to those of operating system hardening. The latest patches and fixes should be applied and access to sensitive data should be by additional passwords and security measures whilst unused applications should be removed.
Oxenhander (2003) explains that network hardening also uses many similar techniques, for instance, firmware and networking software should be patched and kept up to date. Management interfaces should use strong encrypted passwords, The SSH protocol should be utilized where appropriate and unnecessary protocols and services should be disabled. Oxenhander (2003) goes onto explain that all unused ports should be blocked and unnecessary services using those ports should be disabled. Wireless Security should use the latest WPA security measures and network access should be restricted.
Honey Pots
The Hong Kong Government (2008) (HKSAR) state that honeypots are traps designed to deceive a potential attacker into trying to compromise the security of an organization. HKSAR goes onto explain that honeypots can act as an early warning of possible attack and provide a means of analysis of how attackers are attempting to compromise the organization’s systems.
Cole & Northcutt (2016)explains that a honeypot can be a computer system, Server or PC, a simulated or virtual system, a service, a single file or even a number of other possibilities. They go onto explain that the value of a honeypot is in the fact that there is no legitimate reason for accessing the honeypot and therefore any access allows an administrator to quickly identify an attack.
Sans Institute (2016) admit that Justice department Richard Salgado warns that those laws surrounding honeypots are largely untested and the information gained from the use of a honeypot may not be admissible in a court of law. Additionally he continues that in the event of a compromised honeypot being used to attack further organizations, liability issues could be invoked.
Change Management
Cisco (2013)explain that the purpose of change management is to ensure that efficient and prompt standardized methods and procedures are used, any changes are recorded, business risk is minimized and all changes support business goals.
According to Computer Weekly’s Mike Gillespie (2016) Security is seldom considered as part of change and configuration management. Penetration testing identifies vulnerabilities but without ongoing security maintenance failures occur.
Gillepsie (2016) argues that a number of inherent issues are causing failures such as disparate systems, slow change management, bolted on security, legacy thinking and poor succession, limited or no security process maintenance and staff/management not kept informed of the corporate security requirements.
Cisco’s (2013) best practices list the type of changes that should be included in a change management system. These are application, hardware, software, network, environmental and documentation changes. Cisco (2013) believes that a change process model should include the steps needed to handle the change, the order of the steps, who’s responsible for each step, timescales, escalation procedures, approval and quality.
Conclusion
As technology increases, attacks on systems can only increase in scale and complexity. For large businesses, dependent on their public facing internet servers, traditional on site DDoS solutions cannot adapt to large scale attacks and therefore many companies are now providing geographically distributed networks capable of soaking up most large scale attacks.
A firewall is a must for any size business, however to provide serious security a Deep Packet Inspection (DPI) firewall should be employed which will secure the network from the more sophisticated internet attacks.
Network Address Translation is in common use in small, medium and large businesses alike. NAT should not be seen as a security precaution in its own right but is viable when combined with other options such as firewalls. However with the advent of IPV6 this may become an outdated method of securing a network altogether.
A DMZ is necessary to ensure private networks are not open to attack directly from the internet. Demilitarized Zones (DMZ) provide a location for public facing internet servers to be accessed from the internet whilst keeping the private LAN secure behind a second firewall.
Hardening is the vital task of ensuring all systems are kept patched and upto date. As software and systems become older they become more open to possible vulnerabilities as hackers learn more about how they work.
Honeypots have advantages & disadvantages, they are a useful tool for capturing information on potential attack methods however deploying honeypots may introduce more risks, and hackers may see them as a prize to try to exploit them. This may then give them a way in to take over other more confidential systems.
One of the most important service management processes is change management. Changes have the potential to disrupt the business, and therefore controlling the release of changes is critical. Reduced service disruption can be gained by integrating change management with the Security of the network,
Report 2
Introduction
This report will provide the possible countermeasures required to resolve issues shown up by the provided NMAP, and Nessus scans and the information provided by the Microsoft Baseline Analyzer. The information from each report will show security weaknesses in the clients web server and, where appropriate, a course of action to resolve each issue.
Operating System Updates
NESSUS Scan
The Nessus scan is run on the server itself and provides a list of Operating system vulnerabilities many of which can be resolved by running the Windows update service as shown in Appendix I. other Security weaknesses found by the Nessus Scan are listed below along with their suggested resolutions:-
| Critical Severity – Unsupported version of PHP. |
The PHP version is updated constantly to enhance security and remove flaws in its design and therefore it should be updated to the latest release (PHP Group, 2015)
| Critical Severity – DNS Server Vulnerabilities. |
The DNS server software needs to be patched to the latest version because in the version of DNS running on the target server vulnerabilities exists that allows the execution of remote code and denial of Service attacks. (Microsoft, 2014)
| High Severity – PHP Version Vulnerability. |
The specific version of PHP running on this server has known vulnerabilities that allows denial of service attacks which if exploited would mean the DNS server becomes overloaded or crashes the server and therefore it should be updated to the latest release (Tenable, 2015). This can be done using the platform installer.
| Medium Severity – Untrusted SSL certificate. |
A proper certificate need to be purchased for this server as an untrusted SSL certificate allows anyone to establish a man-in-the-middle attack by creating a similar website and pretending to be that company. (Tenable, 2015)
| Medium Severity – Self Signed SSL certificate. |
Same as above a proper certificate need to be purchased for this server because The SSL has not been signed by an accredited authority and therefore the company to which this website belongs cannot be verified. (Tenable, 2015)
| Medium Severity – MS Windows Vulnerability. |
The version of SSL running on this server is affected by a security feature bypass and needs to be Microsoft patched (Tenable, 2015). SSL will be removed using the IIS Crypto software.
| Medium Severity – SSL Certificate Expiry. |
The SSL certificate for domain on the target server has expired and needs renewing. (Tenable, 2015)
| Medium Severity – SSL version out of date. |
The version of SSL running on this server is an obsolete and insecure protocol and therefore should be updated, preferably to Transport Layer Security(TLS) according to Moeller (2014).
| Medium Severity – PHP Configuration Change. |
This resolution of this requires a simple change to the PHP configuration file php.ini . set the value for
‘expose_php’ to ‘Off’ and restart the web server (Tenable, 2015)
| Medium Severity – DNS Denial of Service attack. |
The version of DNS server running on the target is susceptible to a Denial of Service attack which will stop users from being able to find internet and intranet based services. Microsoft has re;eased a set of patches to resolve this. (Microsoft, 2012)
| Medium Severity – RC4 cipher in use. |
The affected application should be reconfigured to use TLS 1.2 as the RC4 cipher is flawed and if an attacker obtains many ciphertext messages he may be able to recover the plaintext information (Tenable 2013). RC4 will be removed
| Medium Severity – SSL padding vulnerability. |
A vulnerability in SSL could allow a man in the middle attack (MITM), known as POODLE. Web servers should be updated to use versions of TLS later than 1.2 AND SSL3 should be disabled. (ImperialViolet, 2014). SSL can be disabled by Editing the system registry, however a far simpler way is to use the software, IIS Crypto, a free download which provides a simple GUI interface. ( see Appendix H)
| Medium Severity – TLS padding vulnerability. |
A vulnerability in TLS could allow a man in the middle attack (MITM) known as POODLE, Web servers should be updated to use versions of TLS later than 1.2. (ImperialViolet, 2014)
| Medium Severity – Clickjacking vulnerability |
Clickjacking is a vulnerability that hides what the user is actually clicking on and therefore potentially allows for the input of sensitive information. One way to resolve this is to add the HTTP Response Header manually to every page. Or add a filter that automatically adds the header to every page. (Tenable, 2015)
| Low Severity – Unsupported version of PHP. |
The Server is running a File Transfer Protocol(FTP) service. This server allows unencrypted transmission of login and passwords which could be intercepted. (Tenable, 2015), This should be turned off if it is not required or alternatively a secure FTP (FTPS) should be used.
Firewall Configuration
NMAP Scan
The Nmap scan is run externally to the server targeting its IP address to see what ports it can communicate with, it does this by sending a SYN packet and where a port is open the server will return an ACK packet. The Nmap Scan targeting the clients server shows a list of Open firewall Ports an NMAP Scan of the server is shown at Appendix F. Each open port is listed below along with a suggested resolution:-
- Port 21 is shown as Open and is used by the File Transfer Protocol. As discussed in the Nessus scan FTP could be removed and replaced for a more secure FTPS service,Web admins can simply copy files to the windows IIS services on the internal LAN so this service will be disabled as it cannot be removed due to it being an integral part of the Web Server Role. It will also be closed down in the firewall. Simply closing down port 21 in the firewall would still leave the service running which will provide hackers with a possible point of exploit.
- Port 23 is shown as open and is used by the Telnet protocol. Telnet is an old an insecure protocol which sends plain text logins and passwords and therefore this service will be removed.
- Port 53 is used by DNS services and need to be left open. Ensure that the DNS software is properly upto date.
- Port 80 is used by HTTP which allows internet users to access the web server and therefore must be left open. Ensure The Internet Information Services Software is patched to the latest release.
- Port 135 is normally required where VPN’s and client/server applications exist but is not needed on a web server.
- Port 139 is used by File and Print Sharing which is required internally for administrative shares. However it is unlikely that a webserver needs access to other systems printers and fileshares so this port should be closed down.
- Port 443 is used by HTTPS and is a secure encrypted method of accessing the web server and will be left open. Again ensure The Internet Information Services Software is patched to the latest release.
- Port 3389 is used by Windows Remote Desktop. Although more secure than telnet it is still open to exploits, If a remote login is required. A Virtual private Network connection would be more secure. This service can therefore be turned off also. It should be noted that turning off this service would effectively terminate my current access to the server.
- Ports above 49152 are Dynamic ports and are used by outgoing services so do not need to be open on the incoming firewall.
Microsoft Baseline Security Analyzer
A Microsoft Security baseline analysis can be seen at Appendix G. This report compares Microsoft Best practices with the configuration of the target server and provides solutions to bring the system in line with these practices. Listed below are the issues that the report has found:-
- Multiple updates are missing and the quickest method of resolving this is to turn automatic updates on
- User Guest has a non-expiring weak password however this account is disabled. Nerverless to remove this message the password should be set stronger and also the account set to expire
- Windows Firewall has Exceptions configured and these need to be turned off to ensure only the ports that are allowed are able to pass through the firewall. All unrecognized rules will likewise be disabled.
- Windows Auditing will be enabled to ensure a history of logon and access failures are available if required.
- All Unnecessary services will be disabled
- The only file shares are admin shares and the security and permissions cannot be changed on these.
- IIS compatibility and common files will be installed
Obfuscation
According to SecureIT (2006) Obfuscation of the operating system is important because any scanner can interrogate a system to find out what operating system is in use. A potential hacker can then use this information to research the potential vulnerabilities of that operating systems.
Programs such as Security Cloak and obfuscate are designed to spoof a different operating system tricking the potential hacker into thinking the system runs this spoofed operating system. It does this by editing relevant registry settings. A newer and better method of server obfuscation is to use a Geographically Distributed Network such as the Cloudflare (2015)solution discussed earlier in this report. This completely hides the organisations systems behind that of the solution provider.
Antivirus
No Antivirus solution is installed on the server and according to Kaspersky (2015) Hundreds of thousands of new malware items are being released daily. There are various solutions available but Sophos will be installed on this server. See Appendix P
Report 3
Introduction
The client has asked that the solutions suggested in Task 2 are now deployed to the webserver. Each solution will be evaluated to ensure each security issue has been resolved.
Nessus Scan
The Nessus Scan Pre fix report at Appendix J provides a list of Operating System issues that need to be resolved. The following points highlight the completed tasks :-
- Windows Updates have been applied See Appendix I
- Obfuscate3 has been used to hide the Operating system see Appendix L
- IIS Crypto has been used to remove SSL3, see Appendix M
- The Telnet Server Service has been removed, see Appendix N
- PhP has been upgraded to version 7 this is done using the windows platform installer, a Microsoft tool.
- To resolve the Clickjacking threat the system registry has been has been edited according to Mozilla (2015) See Appendix M1.
NmapScan
The Pre fix Nmap scan can be seen at Appendix F. This provides a list of Firewall port issues that need to be resolved.
- Port 21 – FTP is used to download and upload files to the webserver but is also an old and insecure protocol. If Webdesigners need external access then a more secure protocol would be to replace FTP with FTPS. The FTP Server has been removed under the IIS Roles.
- Port 23 – The removal of the Telnet service during the Nessus fixes has also removed the telnet rule.
- Port 53 – DNS is required for the normal running of a web server.
- Port 80 – HTTP DNS is required for the normal running of a web server.
- Port 135 – Has been disabled.
- Port 139 – Has been disabled.
- Port 443 – HTTP DNS is required for the normal running of a web server.
- Port 3389 – Is required for Remote desktop and has been left open.
- Port 49193+ – These are Dynamic port and have been disabled.
Evaluation of Implemented Security Solutions
The following list ensures that the solutions that have been applied have resolved the issues described, where possible, in the various reports.
- The Nmap post Scan report shows that Obfuscate has successfully changed the operating system to spoof the server as a Linux server. See Appendix Q
- The Nessus Scan post fix report shows that IIS Crypto has been used to remove SSL3, see Appendix M. However RC4 cannot be removed without causing crashes. The cause of this crashing is possibly due to the VMWARE utilizing RC4 to communicate with the virtual drive
- The removal of the telnet Service has also closed down the telnet port as shown in Appendix Q.
- The upgrade to PHP 7 has successfully fixed multiple vulnerabilities, see Appendix K
- The system registry update has successfully resolved the clickjackacking issues, see Appendix K
- The removal of the FTP Service has also closed down the FTP port as shown in Appendix Q. However if File transfer is required by the web developers it is suggested that a more secure FTPS protocol be used.
- Wins is a now nearly defunct service having been replace with DNS. It is used by older windows systems and is therefore no longer needed on new networks. The WINS service has been removed and the port closed
- Port 3389 is used by Remote Desktop and is open to vulnerabilities however this port has been left open to ensure access to the server is possible. A VPN connection should be used when using RDP to ensure encrypted safe communication.
- Up to date SSL Certificates have not been applied however these are easily purchasable from companies such as 123.reg and GoDaddy
- All Updates have been applied which has resolved all of the update issues shown in the Microsoft baseline analyzer report, see Appendix G
- Whilst checking the windows firewall it was noticed that rules 125 and 127 were allowing all programs to access the server from various internet addresses. These rules have now been disabled. See Appendix O.
Appendix
Appendix A
Distributed Filtering
Appendix B
NAT
Appendix C
NAT acting as a firewall
Appendix D
Demilitarized Zone Using one Router
Appendix E
Demilitarized Zone using 2 routers
Appendix F
NMAP Scan
| 192.168.151.184(online) | |||||||
| Address | |||||||
| 192.168.152.184 – (ipv4) | |||||||
| Ports | |||||||
| The 89 ports scanned but not shown below are in state: filtered | |||||||
| Port | State (toggle closed [0] | filtered [0]) | Service | Reason | Product | Version | Extra info | |
| 21 | tcp | open | ftp | syn-ack | |||
| 23 | tcp | open | telnet | syn-ack | |||
| 53 | tcp | open | domain | syn-ack | |||
| 80 | tcp | open | http | syn-ack | |||
| 135 | tcp | open | msrpc | syn-ack | |||
| 139 | tcp | open | netbios-ssn | syn-ack | |||
| 443 | tcp | open | https | syn-ack | |||
| 3389 | tcp | open | ms-wbt-server | syn-ack | |||
| 49153 | tcp | open | unknown | syn-ack | |||
| 49154 | tcp | open | unknown | syn-ack | |||
| 49155 | tcp | open | unknown | syn-ack | |||
| Remote Operating System Detection | |||||||
| Windows 2008R2 | |||||||
Appendix G
Microsoft Baseline Security Analysis
| Security assessment: | |
| Incomplete Scan (Could not complete one or more requested checks.) |
| Computer name: | WORKGROUP\WEB184 |
| IP address: | 192.168.151.184 |
| Security report name: | WORKGROUP – WEB184 (31-12-2015 11-45) |
| Scan date: | 31/12/2015 11:45 |
| Catalog synchronization date: | |
| Security update catalog: | Microsoft Update |
Security Updates
| Score | Issue | Result | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Developer Tools, Runtimes, and Redistributables Security Updates |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Windows Security Updates |
INSTALL ALL UPDATES |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SQL Server Security Updates |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Windows Scan Results
Administrative Vulnerabilities
| Score | Issue | Result | ||||||||||||||||||
| Automatic Updates |
|
|||||||||||||||||||
| Password Expiration |
|
|||||||||||||||||||
| Windows Firewall |
|
|||||||||||||||||||
| Incomplete Updates |
|
|||||||||||||||||||
| Local Account Password Test |
|
|||||||||||||||||||
| File System |
|
|||||||||||||||||||
| Guest Account |
|
|||||||||||||||||||
| Autologon |
|
|||||||||||||||||||
| Restrict Anonymous |
|
|||||||||||||||||||
| Administrators |
|
|||||||||||||||||||
Additional System Information
| Score | Issue | Result | ||||||||||||||||||
| Windows Version |
|
|||||||||||||||||||
| Auditing |
|
|||||||||||||||||||
| Shares |
|
|||||||||||||||||||
| Services |
|
|||||||||||||||||||
Internet Information Services (IIS) Scan Results
Administrative Vulnerabilities
| Score | Issue | Result | |
| IIS Status |
|
||
| IIS Status |
|
||
| IIS Status |
|
||
| IIS Status |
|
||
| IIS Status |
|
||
| IIS Lockdown Tool |
|
Additional System Information
| Score | Issue | Result | |
| Domain Controller Test |
GOOD |
SQL Server Scan Results
| Score | Issue | Result | |
| SQL Server/MSDE Status |
GOOD |
Desktop Application Scan Results
Administrative Vulnerabilities
| Score | Issue | Result | |
| IE Enhanced Security Configuration for Administrators |
|
||
| IE Enhanced Security Configuration for Non-Administrators |
|
||
| IE Zones |
|
||
| Macro Security |
|
Appendix H
IIS Crypto
Appendix I
Windows Update
Appendix J
Nessus Scan Pre updates
Appendix K
Nessus Scan Post updates
Appendix L
Obfuscate
Appendix M
IIS Crypto
Appendix M1
ClickJacking
Appendix N
Telnet Service
Appendix O
Firewall Rules 125 & 127
Appendix P
Sophos Antivirus
Appendix Q
Nmap Scan Post Fixes
| 192.168.151.184(online) | |||||||
| Address | |||||||
| 192.168.152.184 – (ipv4) | |||||||
| Ports | |||||||
| The 89 ports scanned but not shown below are in state: filtered | |||||||
| Port | State (toggle closed [0] | filtered [0]) | Service | Reason | Product | Version | Extra info | |
| 53 | tcp | open | domain | syn-ack | |||
| 80 | tcp | open | http | syn-ack | |||
| 443 | tcp | open | https | syn-ack | |||
| 3389 | tcp | open | ms-wbt-server | syn-ack | |||
| Remote Operating System Detection | |||||||
| Linux | |||||||
References
Akamai, 2015. WHY AKAMAI CLOUD SECURITY FOR DDOS PROTECTION? [Online] Available at: HYPERLINK “https://www.akamai.com/us/en/solutions/products/cloud-security/ddos-protection-service.jsp” [Accessed 2nd Jan 2016].
Blackhat, 2003. BlackHat Briefings. [Online] Available at: HYPERLINK “http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-hackercourt.pdf” http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-hackercourt.pdf [Accessed 4th Jan 2016].
Cisco, 2013. Change Management: Best Practices. [Online] Available at: HYPERLINK “http://www.cisco.com/c/en/us/products/collateral/services/high-availability/white_paper_c11-458050.html” http://www.cisco.com/c/en/us/products/collateral/services/high-availability/white_paper_c11-458050.html [Accessed 4th Jan 2016].
Cisco, 2014. Network Address Translation (NAT) FAQ. [Online] Available at: HYPERLINK “http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html” http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html [Accessed 2nd Jan 2016].
Cisco, 2015. Configuring DMZ. [Online] Available at: HYPERLINK “https://www.cisco.com/assets/sol/sb/isa500_emulator/help/guide/ad1681599.html” https://www.cisco.com/assets/sol/sb/isa500_emulator/help/guide/ad1681599.html [Accessed 3rd Jan 2016].
Cloudflare, 2015. Affordable advanced DDoS protection. [Online] Available at: HYPERLINK “https://www.cloudflare.com/ddos/” https://www.cloudflare.com/ddos/ [Accessed 2nd January 2016].
Cole, E. & Nortcutt, S., 2016. Honeypots: A Security Manager’s Guide to Honeypots. [Online] Available at: HYPERLINK “http://www.sans.edu/research/security-laboratory/article/honeypots-guide” http://www.sans.edu/research/security-laboratory/article/honeypots-guide [Accessed 2016].
EWeek, 2002. Application Hardening Checklist. [Online] Available at: HYPERLINK “http://www.eweek.com/c/a/Application-Development/Application-Hardening-Checklist” http://www.eweek.com/c/a/Application-Development/Application-Hardening-Checklist [Accessed 3rd Jan 2016].
Gibson Research Corporation, 2006. NAT router Security Solutions. [Online] Available at: HYPERLINK “https://www.grc.com/nat/nat.htm” https://www.grc.com/nat/nat.htm [Accessed 2nd Jan 2016].
Gillespie, M., 2016. Security Think Tank: Security needs to be part of change management processes. [Online] Available at: HYPERLINK “http://www.computerweekly.com/opinion/Security-Think-Tank-Security-needs-to-be-part-of-change-management-processes” http://www.computerweekly.com/opinion/Security-Think-Tank-Security-needs-to-be-part-of-change-management-processes [Accessed 4th Jan 2016].
Heffner, C., 2006. Security Cloak – Fool Passive Fingerprinting. [Online] Available at: HYPERLINK “http://www.securiteam.com/tools/5MP052KI0A.html” http://www.securiteam.com/tools/5MP052KI0A.html [Accessed 6th Jan 2016].
Hong Kong Government, 2008. HONEYPOT SECURITY. [Online] Available at: HYPERLINK “http://www.infosec.gov.hk/english/technical/files/honeypots.pdf” [Accessed 4th Jan 2016].
IETF (1987) RFC 1034. Available at: HYPERLINK “https://www.ietf.org/rfc/rfc1034.txt” https://www.ietf.org/rfc/rfc1034.txt (Accessed: 17th November 2015).
ImperialViolet (2014) ImperialViolet. Available at: HYPERLINK “https://www.imperialviolet.org/2014/12/08/poodleagain.html” https://www.imperialviolet.org/2014/12/08/poodleagain.html (Accessed: 22nd November 2015).
incapsula, 2015. Denial of Service Attacks. [Online] Available at: HYPERLINK “https://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html” https://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html [Accessed 3rd Jan 2016].
Kaspersky, 2015. Internet Security. [Online] Available at: HYPERLINK “http://www.kaspersky.co.uk/internet-security” http://www.kaspersky.co.uk/internet-security [Accessed 6th Jan 2016].
Microsoft (2012) Microsoft Security Bulletin MS12-017 – Important. Available at: HYPERLINK “https://technet.microsoft.com/library/security/ms12-017” https://technet.microsoft.com/library/security/ms12-017 (Accessed: 22nd November 2015).
Microsoft (2014) Microsoft Security Bulletin MS11-058 – Critical. Available at: HYPERLINK “https://technet.microsoft.com/library/security/ms11-058” https://technet.microsoft.com/library/security/ms11-058 (Accessed: 22nd November 2015).
Moeller, B. (2014) This POODLE Bites: Exploiting The. Available at: HYPERLINK “https://www.openssl.org/~bodo/ssl-poodle.pdf” https://www.openssl.org/~bodo/ssl-poodle.pdf (Accessed: 22nd November 2015).
oxenhander, D., 2003. Designing a Secure Local Area Network. [Online] (1.4b) Available at: HYPERLINK “https://www.sans.org/reading-room/whitepapers/bestprac/designing-secure-local-area-network-853” https://www.sans.org/reading-room/whitepapers/bestprac/designing-secure-local-area-network-853 [Accessed 3rd Jan 2016].
Paterson, K. (2013) On the Security of RC4 in TLS and WPA. Available at: HYPERLINK “http://www.isg.rhul.ac.uk/tls/” http://www.isg.rhul.ac.uk/tls/ (Accessed: 22nd November 2015).
Pearson Education, 2012. Network Security First-Step: Firewalls. [Online] Available at: HYPERLINK “http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5” http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5 [Accessed 3rd Jan 2016].
Pearson, 2016. Internet Addressing and Routing First Step. [Online] Available at: HYPERLINK “http://www.ciscopress.com/articles/article.asp?p=348253&seqNum=7” http://www.ciscopress.com/articles/article.asp?p=348253&seqNum=7 [Accessed 2nd Jan 2016].
PHP Group (2015) PHP. Available at: HYPERLINK “http://php.net/” http://php.net/ (Accessed: 22nd November 2015).
Prowse, D.L. (2010) CompTIA Security+ SYO-201 Cert Guide. Pearson.
Smyth, N. (2010) Security+ Essentials. Payload Media.
Sonicwall, 2014. Deep Packet Inspection. [Online] Available at: HYPERLINK “http://www.sonicwall.com/documents/deep-packet-inspection-datasheet-74705.pdf” http://www.sonicwall.com/documents/deep-packet-inspection-datasheet-74705.pdf [Accessed 2nd Jan 2016].
Tenable (2015) FTP Supports Cleartext Authentication. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=34324” http://www.tenable.com/plugins/index.php?view=single&id=34324 (Accessed: 22nd November 2015).
Tenable (2015) MS13-006: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) (uncredentialed check). Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=63643” http://www.tenable.com/plugins/index.php?view=single&id=63643 (Accessed: 5th Jan 2016).
Tenable (2015) PHP 5.3.x< 5.3.29 Multiple Vulnerabilities. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=77285” http://www.tenable.com/plugins/index.php?view=single&id=77285 (Accessed: 21st November 2015).
Tenable (2015) PHP expose_php Information Disclosure. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=46803” http://www.tenable.com/plugins/index.php?view=single&id=46803 (Accessed: 22nd November 2015).
Tenable (2015) SSL Certificate Expiry. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=15901” http://www.tenable.com/plugins/index.php?view=single&id=15901 (Accessed: 21st November 2015).
Tenable (2015) SSL Self-Signed Certificate. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=57582” http://www.tenable.com/plugins/index.php?view=single&id=57582 (Accessed: 21st November 2015).
Tenable (2015) Web Application Potentially Vulnerable to Clickjacking. Available at: HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=85582” http://www.tenable.com/plugins/index.php?view=single&id=85582 (Accessed: 22nd November 2015).
Zen, 2015. Stateful vs Deep Packet Inspection. [Online] Available at: HYPERLINK “https://www.zen.co.uk/business/broadband/business-broadband/stateful-vs-deep-packet-inspection.aspx” https://www.zen.co.uk/business/broadband/business-broadband/stateful-vs-deep-packet-inspection.aspx [Accessed 2nd Jan 2016].
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Comments are closed.