Server and Network Security Flashcards
premises access
- fencing
- bollard posts (protect buildings from vehicles)
- lighting
- locked gates
- security guards
- guard dogs
- limited access to areas of a facility
- motion-sensing security systems
- security cameras
- key codes/card readers
mantraps
- vestibule where 2nd inner door opens only after 1st outer door has closed
- only space for 1 person between doors
internal security controls
- clean desk policy
- locking up sensitive documents
card-based access
- RFID cards to control access
- less secure than smartcards (payment cards)
human security element
- strict hiring/background check policies
- segregation of duties
- user awareness/training
authentication
- prove identity of users/devices/services/applications
- username/password
- PKI
- successful authentication required be access granted
identity federation
- provide single centralized identity store
- can be replicated to multiple servers
- trust tokens issued from trusted identity store
- tokens contain claims
- enables SSO
- Microsoft active directory federation services (ADFS)
- Shibboleth (open source)
claims (security tokens)
- assertions about user/device
- different apps consume different claims
- provide different scopes of access depending on claim values
configuring authentication between on-premise/cloud environments
- identity federation
- replicating on-premise directory services to cloud-based directory service
something you know
- security measures stored in user’s head
- usernames/passwords
- security questions
- single-factor authentication
- password policies
something you have
- physical possession of security device
- smartcard/hardware token/MFA application
- PKI security certificate
- multi-factor authentication
OTP
- one-time password
- never the same
- used for single authentication session
something you are
- biometric authentication
- can expand existing systems to accept biometric authentication (i.e. AD)
logical access control
- mechanisms to secure authentication/authorization to use network resources
- smart cards
- adding users to web app roles to control app access
- managing individual users on large scale is difficult
- auditing individual users reduces information overload
security groups
- create group following organization standards
- grant resource permissions to group
- add members to group
- Microsoft AD users need to log off/back in to pick up changes
- groups are managed statically
distribution groups
- designed for use by email systems
- can’t be assigned permissions
DAC
- Windows server dynamic access control
- built into OS
- examines user/device AD attributes to determine access level
- can be used with/without groups
- user/device attributes must be completed in AD
RBAC
- role-based access control
- assign resource permissions to role
- assign role occupant(s)
- can target individual
rights vs permissions
- rights are either allow/deny
- permissions allow degrees of access
- principle of least privilege
Windows NTFS permissions
- local file/folder permissions
- file/folder encryption using encrypting file system (EFS)
- file system auditing
- file system journaling (quicker disk recovery/repair)
- data deduplication
- disk space quotas
- disable inheritance
- apply permissions to subordinates
- uses DACL
levels of Windows NTFS permissions
- full control
- modify (enables file deletion)
- read and execute
- list folder contents (applies only to folders)
- read
- write (doesn’t enable file deletion)
- special permissions
DACL
- discretionary access control list
- administrator sets file system permissions
Windows shared folder permissions
- only folders can be shared over network (not individual files)
- share permissions
Windows shared folder permission levels
- full control
- change
- read
applying NTFS with share permissions
most restrictive permissions apply
Linux file system permissions
- read (r), 4
- write (w), 2
- execute (x), 1
- delete/modify included in write permission
how Linux permissions are applied
- 3 sets of 3 permission levels applied to
- owner of file
- group associated with file/directory
- everyone else
chmod Linux command example
- chmod 760 /projects
- 7 applies to file/directory owner
- 4 + 2 + 1 = 7 so owner has full permissions
- 6 applies to associated group
- 4 + 2 = 6 so group has read/write permissions
- 0 applies to everybody else (no permissions)
- chmod -R switch recursively applies permissions to a directory
projectors
- doesn’t store sensitive information
- physical security
- place on isolated/secure network
printers
- queued jobs could be retrieved by attackers
- change default passwords
- use HTTPS administrative access over HTTP
- print server provides centralized management/security control
USB
- easy to infect with malware
- ninja cables
- smartphones
- tablets
- storage media
- disable USB ports for storage media
- user awareness/education
NAC
- network access control
- port-based security
- edge devices should never perform authentication (forward authentication requests to RADIUS server)
RADIUS servers
- remote authentication dial-in user service
- edge devices (RADIUS clients) forward authentication requests from supplicants
- RADIUS server determines authentication/access
- install software/configure shared secret to turn server into RADIUS server
- use WPA enterprise/WPA2 enterprise for WiFi routers
- based on UDP
- primarily for centralized authentication
TACACS/TACACS+
- terminal access controller access-control system
- designed to handle frequent authorization requests within a session
- enhances security by encryption transmissions
- based on TCP
- normally used to administer network devices
VLANs
- creates new broadcast domain
- allows isolating networks/subdomains
- router/layer 3 switch required to communicate between VLANs
MAC flooding attacks
- VLAN attack
- fill MAC table limited memory on switches
- causes otherwise isolated traffic to be visible on other VLANs
- unicast traffic visible to all devices in that VLAN
VLAN hopping
- VLAN attack
- attacker spoofs identity of another switch
- creates trunking link
- all VLAN traffic can pass through link and become visible to attacker
mitigating VLAN attacks
- disable automatic trunk negotiation
- enable strong port security
- allow connections from specific/limited number of MAC addresses
- apply latest firmware updates