484    Chapter 8 • Infrastructure Security: System Hardening

             updating the methods used to access the resources. It is important to look at the
             use and appropriateness of MAC, DAC, and RBAC in controlling access appropri-
             ately, and to coordinate this effort with the establishment of file system controls.


                Wide Open or Locked Down? What’s Your Choice?
           Head of the Class…  nine percent of these devices are configured with security off. That
                To understand the difference between security and usability, consider the
                wireless access point that you can buy at any electronics store. Ninety-


                means there is no Wired Equivalent Privacy (WEP), Wi-Fi Protected Access
                (WPA), or other security measures active by default. It seems that many
                vendors have decided that it’s more effective for them to ship these
                devices in an open state. That may be because it reduces help desk calls
                or because they assume that their users simply want a device they can
                easily take out of the box and get up and running. Regardless of the
                reason, the result is that many of these devices are left in an insecure
                state. While wireless encryption methods such as WEP and WPA can be
                used to deter attackers, they are of little use if they are never enabled.
                From the attacker’s standpoint, they may have the option of attacking an
                open network or attempting to crack WPA. Which network do you think
                will be attacked first? The “deny all unless explicitly allowed” method
                restricts everything from the start. While more secure, this method
                requires significant administrative effort.

                 Other tasks within the OS and NOS hardening area include keeping track of
             updates, hotfixes, service packs, and patches.This can be overwhelming, because
             these items are delivered at an incredibly rapid rate. Not only are there a lot of
             them, but many of the vulnerabilities they address may not apply to a particular
             system.Administrators need to make a huge effort to evaluate the need for each fix
             or patch. It is very important to fully test the upgrades, patches, service packs, and
             hotfixes on test equipment that parallels the live environment. It is never recom-
             mended or prudent to apply these “fixes” to production systems without testing, as
             sometimes the “fix” ends up breaking critical services or applications.The following
             sections discuss and explore the methods used to harden defenses and reduce vul-
             nerabilities that exist in systems.To get things started, let’s review the general steps
             to follow for securing an OS:

                  1. Disable all unnecessary services.
                  2. Restrict permissions on files and access to the registry
                  3. Remove unnecessary programs




          www.syngress.com