Basic Security "To Do" List

[Sm0kinP0t]

[Note]This tutorial is for newbies, i doubt any of the more knowledgable users will learn something from it. I won't treat physical securing of the box cause i've seen a very good tut somewhere in AO already.

[Goals]I noticed that we see the same basic security questions posted day after day, so i decided to do my own litlle tut in order to give my modest contribute to the matter. I'll try to be clear, provide the necessary links and give as much core information possible.

[Subjects]
*Introduction
*Patches/Updates
-Microsoft updating
-General updating
*Anti-Virus
*Spyware
*Firewall
*Email
*Security Tools
*others


---------------------------------------------------Introduction-----------------------------------------------------
The first thing you must bare in mind (no matter how l337 you think you are) is that you are NEVER 100% secure. And if you still think you are, don't brag about it or it will take lesser time then you think to some pissed of guy to own your box.
The only think you can do is to employ a responsible conduct on your net usage and always try to be as informed you can, securing whatever can be exploited the best you know.

Now, on to the real deal...


------------------------------------------------Patching/Updating------------------------------------------------
There IS indeed a reason why patches are released: because all software has bugs that can be used to harm your computer.

-Microsoft Updating:
When you first receive your computer, it already comes with a default Operative System installed (usually Windowz). What you should remember is that since the time that SO was launched and the time being that you receive it, there are tons of critical updates that you have to patch your system with if you want to last a week on the web.

If you don't know where to beggin the updating, turn your internet connection on and try clicking the lower left corner [Start Button] and at the top of that there should be the link named [Windows Update]. Click it and follow the intructions.
If there is no such link, click on [Start Button]>[Search] and enter 'wupdmgr.exe'. This is the program used to check your pc for updates. In worst case scenario click here to go directly to the microsoft update page.
Remember to often check for updates, they can mean the difference between a visit to the park on sunday or spending the weekend with the technician whyle he tries to explain you what happened.

-General Updating:
Updating your software is almost as important as updating your SO. I'll suggest you check software such as your Anti-virus and your Spyware remover at least every 2 days. Recently we had to deal with Blaster, so you get the picture on how fast new worms can spread.
[pong]UPGRADE ALWAYS![/pong]


----------------------------------------------------Anti-Virus-------------------------------------------------------
The first step not to get caught on virii is to have a good top-of-the-class anti-virus scanning your hard drive at least once a week and always running actively in the background in order to prevent virus/malicious codes/dangerous email atachments from being installed.
If you can afford it, will have to suggest
Norton AV, it's paid but you are likely not to be compromised by virii if you configure it properly (enable mail scanning, background runnig,active script check,daily scan).
If you require a good free AV that can integrate itself on email, and do the other mentioned things, get avast!, it offers you updates and everything for absolutly 0 $.


---------------------------------------------------------Spyware---------------------------------------------------
Spyware is a jargon for adware. It is mainly a program that you did not choose to install, that came hidden within some other .exe or something you downloaded from the net. It often chagens your register to redirect you to porn sites or some product, but it can also be used to steal your information (spy). Even if you ear someone saying that it's needed for a certain program to be run and that your info are secure and not going nowhere, keep in mind that you actually have a server running on your box ready to call home any time it is told to. You can see the risks.
Regarding spyware, there are two essential tools you have to get:
Spyware blaster, that downloads info on spyware from their database and integrates it self (you wont even notice it) and prevents spyware from even getting near your computer;
SpyBot Search&Destroy, that scans your pc for spy even if they are yet to be installed, meaning when they are compacted along with the proggie you just got from the web.


---------------------------------------------------------Firewall-----------------------------------------------------
A firewall is a barrier that separets your computer from the rest of the internet (sord of). See it as the gate that protects your house - if you have no gate, any one can come in and take a peek right? Your computer uses 'ports' it has to connect to the internet, and has you can imagine, if one can go out through that port, one can surelly come in. The firewall 'locks' those ports in order for you to have control to what gets to your computer or not.
If you know something about the subject, get Sygate so you can have a more professional control on internet traffic. If you just want a superb firewall with a easy user interface, get Zonealarm. It will do that good of a job too.
Below are some common ports used by well known protocols and programs:
ftp 20/tcp File Transfer Protocol [Data]
ftp 21/tcp File Transfer Protocol [Control]
ssh 22/tcp ssh remote login protocol
telnet 23/tcp telnet
smtp 25/tcp Simple Mail Transfer Protocol
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
tftp 69/udp Trivial File Transfer
www 80/tcp World Wide Web HTTP
pop3 110/tcp pop3
ntp 123/tcp Network Time Protocol
ntp 123/udp Network Time Protocol
imap 143/tcp imap
https 443/tcp http protocol over TLS/SSL
rip 520/udp ocal routing process (RIP)
hate 666/udp hate protocol [Gruttaduaria]
citrix 1494/tcp Remote desktop
citrix 1604/udp Published Apps
rdp 3389/tcp Remote desktop protocol
http-alt 8080/tcp http Alternate (see port 80)

WARNING: DO NOT trust winXP built-in firewall to do the job, it filters only incoming traffic, so if a trojan gets into your computer, it will be able to call home freely and the user will be mislead to think that he is protected.


--------------------------------------------------------Email-------------------------------------------------------
A lot of worms spread through email, so my advice is to never even open an unknown recipient email nor download attachments you dont know requested.
Even if a budy of yours sends you an email with a suspicious title and an even more suspicous attach. , be carefull because he might have gotten compromised and may be spreading a worm automaticaly.


--------------------------------------------------------Tools-------------------------------------------------------
What better way to be secure then to find vulnerabilities yourself before others do and hack you?
Here are some good tools that can audit your PC for known issues and give you a heads-up on what you need to correct:
Microsoft Baseline Analyzer,searches for known vuln in Win ;
LANguard, can scan computers on your network, use it to scan yours;
PortPeeker, lets you know what is trying to get a look in your box;
Canary, monitors internet access with tons of features available;
HFNetChk, lets you know what patches are available and what have been downloaded.

Besides those proggies, you can go to:
GRC.com; and
Audit my PC for aditional scanning.


--------------------------------------------------------Others-------------------------------------------------------
Well, this is about it. I'd also advise you to go to [Control Panel]>[Network Connection]>[your default connection]>[Properties]>[Networking] and make sure 'Client for microsoft network' and 'File and printer sharing' aren't checked.

Download IP Scanner to check for active shares.



And that's all folks. Please do add/correct things you think are not 100% right.
+2 cent on the box
greetz

[skiddieleet]

updating your SO

Not a big deal but did you mean OS. I could just not know what you were talking about. Also this is kindof a big deal, in you tut you have your little sliding text that says "Upgrade always". I believe that you should always wait to upgrade until you can confirm that it is a good decision. I'm sure there have been times where an upgrade completely fell apart, so I would say upgrade, but do a little research and wait until you here from others about the upgrade first. You may have mentioned that somewhere and I missed it, but just wanted to be sure. Otherwise it was an ok tut in my book.

[sysmin770]

I agree with h3r3tic, never update immidately escepecially in a production enviornment. Microsoft has a way of screwing things up. If your company runs custom apps that programmers have made then certain updates could cause them not to function and in turn most likely cause someone to become job-less.

Also this isn't a big deal, but this is all about Microsoft stuff. A more aptly named title would have been "Basic Microsoft Security To Do List". But that is just my opinion.

[MrLinus]

Woohoo! I want to update my SO. I want one that makes more money.

I have to agree with h3r3tic on the upgrade options tho'. A friend who runs an entire MS shop upgrade SQL one day. It took him 36 hours to rebuild the server after he applied the patch. Apparently they made a little "boo-boo". Similar to the Service Pack 6 for NT fiasco and Lotus Notes back a few years ago. Do upgrades but test them first on a play/test machine before going to the production box.

[Alphaflux]

aside from some spelling errors, i think it was a good start at a tut. good links, i went to a few of them, as far as a first tut, i think it had alot of good info for newbies.
Cheers

[!mitationRust]

(Suggestion)Some more tips you could add
The first thing is to delete the default usernames and passwords.

Next you can and should change your root username to something other than "root". It's also a good idea not to always log in under and use the root identity.

If you work in an office you should always engage a screen lock or go to the log-in screen so your co-workers can't edit your files while you're away.

If you're at home you might choose not to give root passwords to your children.

You should also look at your logs frequently to make sure hackers aren't attacking your system and forgetting to clear their entries in the log.

You could install a hardware firewall or just a router so you won't have a public IP address.

Finally you could install a NAT box or SmoothWall

And a simple report you could add in
Nachi is out of control or at least on our local cable connections for one of our test systems. For example we average a Nachi ICMP ping event every seven seconds. What does this mean? Imagine that you have built a new XP system and now want to go online to use WindowsUpdate to download and install the latest patches. Your system will easily be infected before you even start to download the first patch (before you go online with a unpatched XP system enable the ICF or you will be infected within seconds of connecting to the internet). Go online with an unpatched, unprotected Win2k system you too will be infected within seconds. Is it this bad everywhere, maybe, maybe not, but it is that bad here. Nachi is a triple thread on hits, first there are the Nachi Pings (note a Nachi ping is not the same as a regular ping) second, Nachi scans TCP ports 445 and 139, and third it scans TCP port 135 and now we are starting to see an increase in secondary infections on systems which started out as Nachi infected systems. Put all this together and Nachi is easily the biggest worm in history in terms of traffic events generated, relegating even Opaserv and similar worms to what used to be an unthinkable second place on the hit parade (I didn't think it could get much worse then Opaserv, guess I was wrong).

Given the IP generation algorithm that Nachi uses we have a possible scan source of 260,100 IP Addresses and assuming that every one of them is in use (our ISP would be the happiest camper on the planet if this was actually the case, but we will use this in order to be very, very conservative), that would mean at least 2% of systems in our local net node are infected with Nachi (we have seen almost 100,000 Nachi pings from over 5,400 IP Addresses over the last 9 days). I also suspect that Nachi has some problems with its random IP generator in that it is not uniform in distribution in that if you whacked 3 or 4 local infected systems here it would drop our Nachi traffic by about 50% (can anyone else confirm this), which also means there could be additional locally infected systems from which we never see traffic.

What does all this mean? Simply there are still far too many systems that are vulnerable to attack. Nachi was released on August 18th and the media attention was significant, and yet at least 2% of systems on the internet (or at least on our net node) are still infected. That fact basically indicates that at least 2% of systems on the internet suffer from very poor security and or administration and hence continue to be vulnerable to the next mass attack (these are systems where the owner is totally unaware and doesn't include the systems which were initially infected then cleaned up). Overall this equates to millions of systems on the internet which remain vulnerable and easily enough to do serious damage. In short security awareness on the internet still has a long, long way to go before we can even begin to think the internet is safe (I personally doubt it will ever be 'safe'). Combine this with the fact that all of these systems could be set to automatically download and apply required patches, it is not a technology problem but simply a user awareness problem.

So what do the graphs show?
1. Inbound Attacks, 12582 suspicious scans or attacks consisting of 23 attacks or scans types (note this does not include Nachi pings).

2. Attacks and Scans came from 3,683 different sources. Note that 4 addresses make up almost 50% of the scans/attacks (possible indication of the lack of uniform IP generation within Nachi as these systems are Nachi infected systems).

3. Number of attacks/scans per hour. Interestingly the last couple of days the number of attacks has reduced and stabilized (we have been doing some notification of infected systems and perhaps this has been making a difference).

4. Number of ICMP events per hour for the last 9 days showing that a number of these systems must be shut off at night and evening are the time when most infected systems are online (ie home users). From a previous study we found that over 99.98% of these ICMP events were Nachi pings.

5. Port Events showing the match between TCP port 135 and 445 traffic indicative of Nachi infections. UDP port 137 traffic is from Opaserv type worms (scans for systems with available file shares, the previous bad boy king).

6. Number of unique IP addresses from which the various port traffic is originating from. Note since Nachi uses a restricted IP generation algorithm, only a few infected systems can generate a lot of local traffic (similar to Code Red. I think the original Nachi author's intention was to have a couple of systems maintain the 'security' of each node, but he vastly underestimated the number of unmaintained systems and hence the resulting overdose of Nachi traffic, ie the solution has become a problem). Opaserv type worms are not localized and use an unrestricted uniform distribution algorithm for IP generation.

I should point out for about 2 - 3 weeks we ran an automatic notification program here which sent out notification to Nachi infected systems and talking with some other people our Nachi scan rates are lower here then in other netblocks because of the notifications sent resulted in a number of systems being cleaned up.

[Fatphantom]

Great tut! Shows the newbies how important it is to Update.

And the products you listed might come in handy to some people.
You might want to add some more tweaks that you can make to prevent security hazards, and you forgot to mention backin gup the registry. Good post anyways.

[Datsun 260Z]

Good tutorial!