Forgot your password?
typodupeerror
Security

Just How Effective is System Hardening? 154

Posted by timothy
from the how-large-is-your-facade dept.
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
This discussion has been archived. No new comments can be posted.

Just How Effective is System Hardening?

Comments Filter:
  • Ahh yes, (Score:5, Funny)

    by abolitiontheory (1138999) on Tuesday May 13, 2008 @08:37AM (#23390336)
    /. is just the place to come for advice on "system hardening."
    • Re:Ahh yes, (Score:5, Funny)

      by sm62704 (957197) on Tuesday May 13, 2008 @09:13AM (#23390680) Journal
      "Trinity" from The Matrix hardened my system!

      Oh, you're talking about computer security? Never mind, then.
  • Defense in Depth (Score:5, Insightful)

    by Hyppy (74366) on Tuesday May 13, 2008 @08:38AM (#23390342)
    System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

    System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
    • Re:Defense in Depth (Score:5, Interesting)

      by tgatliff (311583) on Tuesday May 13, 2008 @08:46AM (#23390412)
      I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...

      If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...
      • by Hyppy (74366) on Tuesday May 13, 2008 @09:12AM (#23390658)
        If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

        Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

        If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

        You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.
        • by jandrese (485) <kensama@vt.edu> on Tuesday May 13, 2008 @09:26AM (#23390830) Homepage Journal
          On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.
          • by Hyppy (74366) on Tuesday May 13, 2008 @09:31AM (#23390888)
            Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

            That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.
          • Just restrict your logging to failed logins for valid users on valid ports, and then jack up the login attempt delay.

            By far the majority of attacks are implemented using guesswork credentials.

            It's not much of a problem anymore, because storage space is so cheap. I set mine to log everything for a few months, just out of curiosity at the crap going around my ISP and even at the highest levels the logs were only taking up about 15% of my drive space; mostly automated brute force attacks.

            Once I restricted the
        • by tgatliff (311583)
          You certainly sound like a wonderful admin, and I can appreciate that...

          As far as logs, we traditionally have a series of items, such as hd data, temp data, etc that we automate with an srsync snapshot nightly. From there, we use a custom app we wrote to parse out key word data or repeatable trends we find interesting, such as error, failed login attempts, etc... Meaning, we also erase nothing, but let software processes smooth over the sheer volume of data for us...

          Also, as far as additional security ite
      • by Ryan Amos (16972) on Tuesday May 13, 2008 @11:11AM (#23391940)
        SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

        SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

        The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?
        • by dougmc (70836)
          Nicely done -- you nailed it. Though I'd emphasize a little more what a pain selinux can be for a general-use system. The learning curve is relatively steep, and like many security measures, it often does get in the way of doing work, especially when you don't really understand it yet. And so yes, it does tend to get turned off.
          • Re: (Score:3, Interesting)

            by dpilot (134227)
            I'd go one step further, and state that SELinux *can* be the enemy of defense-in-depth. To begin with, SELinux has been sufficiently difficult to get running properly that a common response is to just shut it off. So if you want defense-in-depth, and the other forms of defense are those that haven't been pre-configured into SELinux, you're essentially discouraged from using them. (If you think it's hard picking SELinux up off the shelf and using it, then try some fairly deep modifications to existing pol
        • but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users

          I'm not discouraging use of SELinux, but you can use Posix ACLs without SELinux. If flexible file permissions are the driving factor, SELinux is overkill.

        • I write OSS software. Targeted at sysadmins, not Joe Random Users. And it requires some (actually not too much) knowledge of Unix filesystem permission. You wouldn't believe how many questions I get about the most simple things (like: you need exec permission on a directory to access files therein..). If people don't understand Unix file permissions, how can you expect that SELinux can be used effectively by them?
    • by Jeruvy (1045694) * on Tuesday May 13, 2008 @09:14AM (#23390688)
      OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.
    • If you need test the effectiveness of your harden OS then you are already in troble it is just the difference between troble and disaster. That being said it is not a Silver bullet of protection if the hacker has goten that far then you probably have some holes in your full IT Security concept that needs to be addressed. But like most security now adays it isn't as much about protection as it is saying I did my due diligence in being protected.
  • if DISA put out a lockdown script for the various Unix flavors. The Gold Disk they have for Unix breaks shit. But dang if the Windows one works. What's up with that? It's a real pain manually doing this.

    • by Hyppy (74366) on Tuesday May 13, 2008 @08:42AM (#23390378)
      The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.
      • by jandrese (485) <kensama@vt.edu> on Tuesday May 13, 2008 @09:30AM (#23390870) Homepage Journal
        Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.
        • by Hyppy (74366)
          Completely agreed. One of my sections experimented with the DISA gold disk one time, turning it on in "high security" mode, and it took us 3 days with RegMon and a grab bag of other utilities to revert the system to just basic usable mode. Office XP wouldn't even open correctly!
        • Yup. Everything is more difficult on Windows and configuring a Windoze box for half decent security is well nigh impossible. Consequently, when I need to supply a secure Windows application, I use Wine on Linux.
      • Re: (Score:3, Informative)

        by cromar (1103585)
        You might try (on a test box) the security information/tools CIS [cisecurity.org] (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.
    • Re: (Score:2, Insightful)

      Well, the SRR for UNIX released last month is only supported on specific flavors:

      Solaris 2.5.1 through Solaris 10; HP-UX 11.0,HP-UX 11.11; Red Hat Enterprsie Linux 3 and 4; and AIX 4.3. FSO cannot guarantee the accuracy of these scripts if they are used on other UNIX versions.
      That means if you are running any other version/flavor, you're going to need to review the script and modify it as necessary.
      • All the SRR for Unix does is check for vulnerabilities. It makes no changes.

      • by Hyppy (74366)
        Those are the only flavors, as far as I am aware, that the NSA has approved so far for government use in production environments.
      • Well I guess my old Sparcstation's fucked, then - but then again it's only running my CERN proxy, so that's OK :P
  • Concrete (Score:5, Funny)

    by Urger (817972) on Tuesday May 13, 2008 @08:41AM (#23390370) Homepage
    I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
  • Easy (Score:5, Funny)

    by J3M (546439) on Tuesday May 13, 2008 @08:49AM (#23390446)
    I use Ubuntu 8.04. It's hardy out of the box.
  • Is it just me? (Score:4, Insightful)

    by Layer 3 Ninja (862455) on Tuesday May 13, 2008 @08:49AM (#23390448) Journal
    Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?
    • Re: (Score:1, Funny)

      by Anonymous Coward
      "We're from the government. We're here to help you."
    • by sticks_us (150624)
      Oh, I don't know...

      There's a strong correlation between the libertarian/independent/freethinker community and the advocacy of Linux and other [F]OSS solutions.

      And yet, doesn't every Linux kernel (2.6 or better) use SELinux [nsa.gov] [1] [wikipedia.org] ?

      • Linux kernel has no integrated security it has some security layer that gives all security systems access (or it can, its recommended to compile without it if you dont use it as otherwise a rootkit could use it).

        SElinux sure it could have a NSA back-door, probably doesn't, but a lot of distros dont use SElinux instead they opt for apparmor, or nothing at all, or other security measures ( PAX, etc)
      • by valdis (160799)
        I was there while the LSM hooks into the Linux kernel were designed, and while SELinux got started (you guys think it's hard to use now, you should have seen the *first* few releases).

        Rest assured that although a good 1/2 to 2/3 of the work came from NSA staff, the people involved were competent, and understood the importance of peer review in security design. So the NSA guys didn't get any code or policy in there that didn't get reviewed by a good number of non-NSA people who had reason to expect and look
    • Re:Is it just me? (Score:5, Insightful)

      by been42 (160065) on Tuesday May 13, 2008 @09:40AM (#23390956) Homepage
      Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

      I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.

    • Yes, it's just you (Score:3, Insightful)

      by Sloppy (14984)

      Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

      Probably. What risk does it introduce, which you didn't already have?

      .msi packages are only used by one OS. If you're using that OS, then you have already made the decision to blindly and fully trust a party who is utterly unaccountable to you, whose work cannot be audited by you or anyone you designate, and who has already demonstrated that they create their software to serve interests that directly conflict with your

  • Very effective (Score:5, Informative)

    by hal9000(jr) (316943) on Tuesday May 13, 2008 @08:50AM (#23390452)
    System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.

    That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.

    Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
  • by neokushan (932374) on Tuesday May 13, 2008 @08:52AM (#23390472)
    The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.
  • by Facekhan (445017) on Tuesday May 13, 2008 @08:52AM (#23390474)
    I've used the network equipment guides to harden routers and switches before and they are very handy.

    I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)

    I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
  • Everyday user? (Score:2, Interesting)

    by MosesJones (55544)
    First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines.

    So in summary the only everyday users who could do this are those using Vista.... an
    • by Torvaun (1040898)
      Slashdot doesn't really cater to the everyday user.
    • Re: (Score:3, Informative)

      by Hyppy (74366)
      The Windows XP guide is also available [nsa.gov], though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.
    • Re: (Score:3, Informative)

      by Aram Fingal (576822)
      I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.
  • The days of "Security through Obscurity?" I just wonder if it's more or less prevalent today then in years past.
  • by richg74 (650636) on Tuesday May 13, 2008 @09:15AM (#23390692) Homepage
    There is an often-repeated old story that is pertinent here:

    Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."

    Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

    • Re: (Score:3, Funny)

      by Anonymous Coward
      I heard that story from a Chinese, but the bear was a testicle-eating wild pig. Much better story
    • Re: (Score:3, Insightful)

      by jandrese (485)
      The problem is when your site is "email.whitehouse.gov" and the other guy is "conglomerated-ironworks.com". One of which is going to be a much bigger target no matter how much extra security you have.
      • Re: (Score:3, Funny)

        by WNight (23683)
        Yeah, who'd hack the whitehouse? They've deleted all their own email and sensitive documents years ago. Now that ironworking company, that sounds interesting...
    • by dpilot (134227)
      But what if the bear is bored, not hungry. He doesn't want a meal, he wants the chase and the kill.

      To shift metaphors, I've heard that the way to handle canine attack is to get down on the ground and bare your neck. It's a submission symbol, and they generally respect it. Plus they can outrun and outbite you. Of course I've never tested this personally, and I've usually been able to intimidate dogs just by acting intimidating. (I once intimidated a pair of nasty looking German shepherds, until their ow
      • by jcgf (688310)
        They can out run and out bite but if they have a collar on, you've won. Just grab the collar and put some weight into it, you'll find that you can hold their teeth away from you.
    • by daigu (111684)
      Yeah, I've heard that story too. The problem is that bears have an instinct to chase something running from them - such as weaker bears. So, if the other hiker stands still and gets out of the way, he doesn't become part of the race where at least one human is going to lose.
    • Might I suggest an alteration...

      Two guys are walking around, one has hurt his leg. They run into a zombie. The one without injuries runs, leaving his friend behind.

      He now needs to outrun two zombies.

      For targeted attacks, yes, having better security means attackers will likely pick easier targets. Since botnets carry out a fair portion of attacks though, the average computer user having better security means everyone has better security.
    • by legirons (809082)
      How does that work if the bear can chase a million victims at once, like botnets can with PC vulnerabilities?
  • How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
  • by Anonymous Coward
    allow execution of only known good binaries

    one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..

    works on windows* and unices..

    -Yv
    • Anonymous Coward wrote:

      allow execution of only known good binaries
      But who declares a binary "known good"? And how well do you expect your method to scale down to home and small-office PCs?
      • Re: (Score:3, Insightful)

        by Hyppy (74366)
        You can do that with group policy, but its very time-intensive. Basically, you whitelist your approved binaries by filename with a hash to ensure people don't just rename their game "explorer.exe"
  • Am I the only one who is surprised that the nsa uses coldfusion?
  • works ok for me (Score:4, Interesting)

    by myxiplx (906307) on Tuesday May 13, 2008 @10:25AM (#23391466)
    Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.

    It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
    • Re: (Score:3, Insightful)

      by bzipitidoo (647217)

      How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?

      How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?

      You're a good way down the path of just not allowing the use of computers at all.

      • by myxiplx (906307)
        lol, not at all. Users work comes first, otherwise I'm not doing my job am I. Haven't had any complaints at all, every web page users need for their job works, we have enough game sites working to keep them happy over lunch, and the programs they need for their job work perfectly because their computers aren't full of crap.

        CD-ROM drives are disabled by disabling the windows device driver. Users don't have admin rights so they can't re-enable them. They used to be locked in the bios, with bios passwords.
  • define "effective" (Score:4, Insightful)

    by darkuncle (4925) <darkuncle@NoSpAm.darkuncle.net> on Tuesday May 13, 2008 @10:26AM (#23391488) Homepage
    system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:

    1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.

    2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help ... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).
    • I don't like the way security has been trumpeted and politicized since 9/11. Security is so all encompassing that anything can be characterized as a security issue. Security enhancement is the ultimate hammer for every problem. We have wasted a lot of time on a patchwork fix-as-we-go stance. In the other extreme, we've spent a lot of effort going for too much in OSes. SELinux is a case in point. Yeah, sure it can really lock down and separate things, but the overhead paid in administering the box, man

      • by darkuncle (4925)

        If we could focus on fixing bugs and not see everything through the lens of security ...

        This is exactly the approach that e.g. the OpenBSD dev team takes - all bugs are squashed with equanimity. They don't consider bugs to be "less critical" because they don't represent an apparent security threat or come with an obvious exploit. This kind of consistent code-review housecleaning has the nice side effect of avoiding many security holes before they are even discovered. (See http://www.openbsd.org/security.htm [openbsd.org]

  • You can completely prevent unauthorized access with Marcus Ranum's ultimate firewall!
  • Just How Effective is System Hardening? It can be very, very effective. But the problem is the average end user completely lacks the skills and time to do this and I'd say the average sysadmin is not much better off. But if you do take the take to read up and set up services runing inside (say) Solaris "containers" or on xen under link and get all you access lists set up and fire wall rules do at the IP address level you can build a very secure server. I've seen server farms run for years without a pro
  • Back in 2000, some guy wrote a software patch to the Linux kernel called PaX that emulates an NX bit via marking data pages as "Supervisor" (requiring the kernel to approve TLB loads for them, basically). This quickly grew to include a policy about how a program can set memory protections (no write/execute memory), address space layout randomization, and a faster NX emulation mode; as well as support for multiple CPU architectures including those with hardware NX bits.

    A bit before that, Crispin Cowen of Im

One possible reason that things aren't going according to plan is that there never was a plan in the first place.

Working...