The purpose of this sticky is to share with the user basic security principles, ideas, practices and otherwise knowledge pertaining to Basic OS Security. It will be updated on a regular basis and the title will be updated as well with the most current updates.
Enjoy and hopefully we can learn from each other. Please feel free to add any information pertaining to the subjects in this thread.
Topics discussed so far: Host Files
Hosts file is a plain text file that maps hostnames of common and uncommon sites to IP addresses in all DOS based systems. Basically, it is your local DNS resolver for specified hostnames to IP’s. Whatever IP is assigned to a hostname in the text will resolve to that IP before your DNS will resolve it and basically overrides DNS resolution. This file loads in the system cache before/during startup of your OS.
Why is this important?
This is important because it can be a main source of trouble if your hosts file is infected/injected with malicious content; see: http://en.wikipedia.org/wiki/Mydoom.B for an example. Worms, now more than ever, are utilizing this file to redirect you basic hostname to malicious sites and/or blocking security sites(IE. Symantec update sites) altogether. However, you can use this file as a major advantage to your computer and your family’s computer(s.)
What do you mean?
Well in the first paragraph, we talked about how your file is loaded into cache and how it redirects certain hostnames to IP’s. With that being said, you can force your computer to resolve any hostname to any IP that you want. For this guide, we will be discussing forcing resolution to home IP or 127.0.0.1 or localhost. What this means is we can take a hostname like “aconti.net” (this is used for spam ads and rollover click ads) and force it to resolve that IP as 127.0.0.1 so those annoying “green rollover links” will not populate to your computer. Meaning, they don’t appear any more.
How do I do that?
Well first, you need to find your hosts file. You can search for the file “hosts.*” or “hosts” or find it in the following directories:
Windows XP/Vista/7 = C:\windows\system32\drivers\etc
Windows 2000 = C:\winnt\systems32\drivers\etc
After you have located you file, open it up. It should have a block of commented out section explaining what it is and one entry (if you haven’t already edited it.) That entry should simply state:
This means that the hostname “localhost” resolves to 127.0.0.1 automatically. (Note: save a backup of the file before editing, remember redundancy is the key for proper restoration of a system)
To take the example above, we can add “aconti.net” to this file to force resolution to your local machine; effectively blocking it. Here’s how:
After your first line, add this:
So your file should now look like:
Again, this points that hostname to your local machine meaning that if you try to go to that hostname in your browser a blank page should appear. Save the file. You have now edited it. You can add as many hostnames as you want in there and it will do the same as long as you keep the proper format.
You can also use this as a sort of local web proxy if you wish for blocking sites that your children probably do not need to visit. http://en.wikipedia.org/wiki/Hosts_file - good explanation of hosts files http://www.mvps.org/winhelp2002/hosts.htm - automatically populated hosts file so you don’t have to enter a million hostnames into your file. The best one I have found on the net as well as one of the first things I do when I load a machine for a friend or family member. After placing the file in the correct directory, rebooting the machine would not be a bad idea.
Good luck, protect yourself and if you require any more information, feel free to send me a PM.
Pass the Salt – Salting passwords is best practice?
What is password salting?
As we know, passwords are used for basic encryption of files, folders, accounts, etc. They are basically implemented in everything we do now as security is paramount. From system logins to gmail to your account here, you inherently need one to access the system and most of the password enforcement requires that a certain complexity be met so as the account doesn’t get compromised (IE. 8 characters, with at least a number and uppercase alphanumeric digit.) For most of us, this can be a pain as if we have multiple accounts and sometimes you can’t use the “same” password for each account (Note: you should never do this anyways.) Well, salting passwords can help you in your efforts to basically keep one standard password with extra supposedly random digits added to increase security. Although, it may seem random, all you are doing is adding an algorithm to your password for complexity and easy remembering. The bonus is only you know the algorithm so you can keep the basic root password and hardly ever have your password compromised. That is exactly what salting is.
Why should you salt?
As stated above, this increases the complexity of a password and makes it simple for you to remember without having to access ye ole master password spreadsheet to find which password goes to what account. (Note: You should never do that either but, I have been guilty of this infraction in my younger years.) Additionally with a good algorithm, it increases the complexity so brute force, dictionary, and rainbow table attacks(for more info on these please note the additional information section.) are greatly hindered in their capabilities.
What do you mean?
Well the explanation of salting above should be easily understood; however, I will simplify it more. Basically, you will come up with a standard password (Say: “Password” for the rest of this post) and add additional digits, letters, special characters, etc to the prefix or the suffix (or for that matter anywhere you want in the password.)
How do I salt?
Using the password above, we can show you how to successfully salt it. So, let’s use the example of accessing your account on facebook. We have Password as our password and we want a good algorithm to salt it with, so for this example we will append certain digits to the end of the password. And considering it is facebook, why don’t we abbreviate that to “fb” and add it to the end.
As you can see, this accomplished a few things.
1. Increased the size of the password to increase complexity making a brute force or dictionary attack extremely more ineffecient.
2. Even if someone using rainbow tables knows your salt, it increases their time in actually building the tables, making your password more difficult to guess.
3. Added a special character to also increase the complexity and reinforcing the first point.
4. Made it simpler to remember because you are on facebook and your algorithm is the abbreviated domain name.
And we can reuse this algorithm for all other online sites we visit. (IE, newsweek account password would be Password-nw.) I say reuse but ideally you want to keep the same algorithm for ease of use.
Now, the example above is quite simplistic to just show the idea of salting and you would want to use a more difficult algorithm for complexity as well as placement of the salt where only you know where the algorithm is placed.
Also, it would be ideal to use something in the range of something no one else would know.
Example: My favorite car as a salt.
Again make use of the whole keyboard to increase complexity:
As you can see, this simple yet effective process can greatly increase your security while making it easier to remember. You always have the same root password and only you would know your salt algorithm.
Auditing – Making your life easier with Audit Logs.
What is auditing?
By now, I am sure everyone has heard the term auditing. Most of the time, it involves an audit of a specific job/process/work flow/money trail, etc.; to show its effectiveness, usefulness, and/or necessity. While some of those applies with auditing in windows; for this guide, we will be discussing a different explanation. We will be using the definition of auditing to be basically a measured standard or baseline of all system, application, and security events to see what is actually going on while our computer is powered on and in the OS. Most of the settings in windows involving auditing are automatically set to ensure the capture of all events and logged, this is what we will be talking about; Audit logs and how to set them up. The logs are automatically generated to a cache to show a multitude of things to include(but not limited to); logons, permissions changes, file deletion, hardware failures, etc. These logs are vital information for security as well as troubleshooting when certain software/hardware fails or is about to fail. From this information, we can determine the proper course of action to take to prevent, deter, and/or solve certain failures of hardware, software and security events.
What do you mean?
Auditing is basically your computer writing a journal of everything happening. From the smallest thing as CD's having CRC errors(Cyclic Redundancy Checks[or can not read errors]) to who and what have been accessing your computer, files, folder, etc. This is meant in hopes that if you do have troubles all you have to do is read the journal at/or near the time of the error and decide what you need to accomplish to prevent or fix the problem (all audit logs are timestamped.)
Why should I audit?
As previously stated, there is a wealth of information that your computer stores for your benefit. We will go over the different event logs in a later paragraph. But, what you need to know is that you can check these logs anytime you need for information about many of your systems processes and accesses to ensure proper security protocols are being followed and you and your information haven't been compromised.
How do I do that?
First off, lets check out where our logs are and how to view our logs. There are many ways you can get to your event logs but I will tell you of a few ways I mostly prefer.
1. Right-click on my computer and select manage. Under the System Tools in the right pane, double click on Event Viewer. From here, you should notice a folder called “Windows Logs.” if you expand that folder you should see at least three folders named; Application, Security, and System (Note: there will possibly be more logs depending on what is installed on your machine.) [I will go over what each folder audits in one of the following paragraphs.]
2. Another way to access these logs is to open a run dialog box by either clicking Start then Run... or simultaneously pressing the windows key(the key with the little windows logo on it) and the “r” key. After the window comes up, type in eventvwr and hit enter.
After you open up the event viewer, go ahead and peruse the logs within each of the folders to familiarize yourself with these.
As stated before, there are three main event logs that we will focus on:
Application: This deals with all the logs that directly correlate with any software that is being ran on your computer. (IE. Internet explorer, adobe, installer for apps, system restore points, etc.)
Security: This deals with any accounts on the machine logging in, logging off, policy changes, etc. (IE. Admin logs in and a log is created at which time the account logged in.)
System: This deals with any hardware issue or system related issue (IE. CD ROM failure, DNS resolver, windows update client, anti-virus updater, etc.)
Now that you know where your logs are located for reference purposes; lets walk through how to setup your logging in an efficient manner.
You will need to open another run windows (windows key+r) and type “secpol.msc” and hit enter.
This will bring up your local security policy that is applied to your machine (dependent on whether you have global policies settings(through enforcement of policies), these will be set on your local machine.
Go ahead and expand the Local Policies folder and the first folder should say “Audit Policy.” This is what we will be checking. Click on Audit policy and you should have 10 or so different policies that can be set. I believe by default all of these should be set to “No Auditing.” (However, your machine will still audit most things.) Each one of these items are self explanatory. To change the policy, double click the policy and change it if you wish (also there is an explanation of what each policy does/controls.)
A few that I always set are: Audit account logon events
Audit account management
Audit object access
Audit policy change
Audit privilege use
Audit system events
For demonstration purposes, go ahead and set “Audit account logon events” and click ok. Log off and log back on and you should have a new item in your log(the event viewer) showing you logged on.
Conversely, you can directly set which drives have logging on them and can make each log more granular by controlling what is logged and who can audit these drives (IE. Reading folders, deleting files and folders, restricting access to logs.)
To do this, Open my computer and right click on any drive and select properties. Click the security tab and then click the Auditing tab. Unless you have set this already, most likely you will have no entries in the “Auditing Entries” box. To add a user, click edit and then add. Put your account name in there and hit ok. This should bring up an access control list showing what attributes and objects can be audited. Select the ones that you feel need to be audited and hit ok. (Note: By the word “Access:” you should note that you can either set it for Success or Failure; this allows you the granularity of choosing which person or persons can audit and those who will be denied.) Also, you can set this on all child objects(files and folders) that are contained on the drive.