Learning Activity Plan
Information Technology Security Specialist
18
ACKNOWLEDGEMENTS
Learning Activity Plan (LAP) developed by: Joe Mallen), faculty member of Southwest Texas Junior College. This LAP was developed under the auspices of the Texas State Leadership Partnership for IT Specialist Curriculum Development and funded by a grant from the Texas Higher Education Coordinating Board, Community and Technical College Division. This LAP is recommended for use by community and technical colleges in Texas.
Authorizing Agency:
Texas Higher Education Coordinating Board, 1200 East Anderson Lane, Austin, TX 78752 (www.thecb.state.tx.us)
Funded by: Carl D. Perkins Vocational Education Act
Project Advisor: Rob Franks, Texas Higher Education Coordinating Board
Project Staff:
Director, Brent Kesterson, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243
Coordinator, Ngoc Truong, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243
Project Partners:
Collin County Community College, Ann Beheler, Barbara Taylor
Dallas County Community College District, Don Perry
Del Mar College, Larry Lee, Michael Harris
North Harris College, Bill Coppola, Allen Rice, Calvin Rennels
Richland College, Kay Eggleston, Martha Hogan, Paula Dennis
Southwest Texas Junior College, Dick Whipple
Southwest Texas Junior College, Joe Mallen
Texas State Technical College – Waco, Linda Shorter
Tyler Junior College, Charles Cowell
Non-exclusive copyright © 2003. Non-exclusive copyright is retained by the U.S. Department of Education, the Texas Higher Education Coordinating Board, and Richland College. Permission to use or reproduce this document in whole or part is granted for not-for-profit educational and research purposes only. For any other use, please request permission in writing from the Technical Education Division, Richland College, 12800 Abrams Road, Dallas, TX 75243. Phone: 972 238-6396. FAX: 972 238-6905
.Table of Contents
Classroom Setup Requirements 4-5
Discover Windows 2000 Vulnerabilities 6
Discover Linux Vulnerabilities 7
Configuring an Audit Policy & Manage your Event Logs 8
Using Strong Passwords in Windows 2000 9
Using Strong Passwords in Linux 10
Viewing Open Ports in Windows 2000 11
Protecting your OS against Dictionary Attacks 12
Disable terminal access to root account in Linux 13
Using a Keylogger Program 14
Using Security Analyzer on a Win2000 and Linux Client 15-16
Removing Unnecessary services and changing Misc. security settings 17
Using Bastille to Reduce the Risk in a Linux System 18
Classroom Setup Requirements
Hardware Requirements:
The following table is the suggested hardware requirements for this course:
Hardware Specifications / Greater than or equal to the followingProcessor / Intel Pentium II (or equivalent) personal computer with processor greater than or equal to 300 Mhz.
L2 Cache / 256KB
Hard Disk / 8-GB Hard Drive
RAM / at least 128 MB
CD-ROM / 32x
Network Interface card (NIC) / 10BaseT or 100BaseTX (10 or 100 Mbps)
Sound card / Speakers / Required for Instructor Station, optional for student stations
Network Hubs / Two 10-port 10Base T or 100BaseTX (10 or 100Mbps)hubs
Router / Multi-homed system with three NICs (Windows 2000 server)
Software Requirements:
The following software is used in this course for both the instructor and student systems.
· Microsoft Windows 2000 Server, with Microsoft Internet Explorer 5 or later, including Outlook express. If possible create three partitions: Two should be formatted in NTFS for Windows 2000. A sufficiently large partition should be left completely blank so that it can be used by the Red Hat Linux 7.x Installation.
· Current Microsoft Windows 2000 Service Pack (unless otherwise directed in a lesson)
· Webtrends Security Analyzer with optional agents for Red Hat Linux (www.webtrends.com)
· Ipswitch WS_Ping ProPack Version 2.1 or later (www.ipswitch.com)
· Red Button
· Netbios Authorization Tool (NAT)
· Amecisco Invisisible Keylogger Stealth
· Resource Kit Demonstrations files (Diskmap.exe, dmdiag.exe, drivers.exe, pstat.exe, pulist.ext and perms.exe (www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp).
· Full Installation of Red Hat Linux (Red Hat Linux 7.x) See Linux installation instructions for component details. Do not choose “server installation” which will completely reformat the hard drive and destroy your Windows 2000 installation. You should have the installation program automatically install the following services:
o X Windows
o DNS Package (including Bind V8)
o Shadow passwords
o Development (contains GNU C compiler)
o Both Linuxconf and Gnome Linux-conf (either on the installation disk, at www.rpmfind.net, or at the Linuxconf website: www.solucorp.qc.ca/linuxconf)
o Winfile
o Fport
o Bastille version 1.1.0
Note: You can obtain the installation files for Red Hat Linux 7.x a www.redhat.com. If you are new to the Red Hat Linux installation procedure, visit the following site for more detailed instructions on how to install: http://www.redhat.com/docs/manuals/linux/
Discover Windows 2000 Vulnerabilities
Learning Outcome
Identify Windows Vulnerabilities during an initial default installation of the operating system. Students will learn to use a program to discover the built-in accounts on remote servers and use a dictionary type attack to discover passwords.
Recommended Resources for Learning Activity
“RedButton” Program
NetBIOS Auditing Tool (NAT)
Recommended Instructor Preparation for Learning Activity
Instructor lecture on how vulnerable a Windows 2000 Server can be out of the box. Classroom discussion on how you can utilize the RedButton program to discover the built-in account (Administrator) or the account name if it has been renamed, and the available shares on the Server. Also, discuss how to use the NAT program to perform a dictionary attack. Students should be familiar with the concept of “Shares” and “Dictionary Attacks”.
Recommended Instructor/Student In-class/lab Activity
Methods to:
· Capture Student Attention: Tell the students that they are about to learn how to become hackers and at the same time understand some of the Vulnerabilities with Windows 2000 Server
Lab – Discover Windows 2000 Vulnerabilities:
1. Install the Redbutton program and run it.
2. Choose No when the program asks your intentions.
3. Enter the IP Address of the computer you are hacking and click on OK.
4. Click the Go Area in the Main Window
Note: Redbutton will come back and give you the built-in account name and the available shares. Now all you need is the password. The following steps will perform a dictionary attack to discover the password.
5. Install the NAT program.
6. Command prompt: Enter the following command -- >
NAT – 0 results.txt –u userlist.txt –p passlist.txt <ip address of the remote computer>
7. Command prompt: Enter -- > Type results.txt | more or open the results.txt file with a word-processing program like notepad.
8. Search the file and discover the successful break-in attempts including the administrator password.
9. Now that you know the system administrator password, log on to the remote computer administrative share by going to Start | Run and entering the following command:
\\remote_machines_ipaddress\C$
10. You have now seen a simple example of the process of breaking into a system.
Discover Linux Vulnerabilities
Learning Outcome
Identify Red Had Linux Vulnerabilities during an initial default installation of the operating system.
Recommended Resources for Learning Activity
www.solucorp.qc.ca/linuxconf
Recommended Instructor Preparation for Learning Activity
Instructor Note: Linuxconf must be installed. You can download it from the Linuxconf home page listed above. Also, student Linux servers should be configured to allow all connections by default for this lab to work.
Recommended Instructor/Student In-class/lab Activity
Lab - Discover Linux Vulnerabilities and modify Linux settings:
1. Login as Linux root user. Use the /user/sbin/useradd command to create a non-root account named student. Make sure to use the /user/bin/passwd command to give the student user a password of password.
2. Log off as root and login as student. Use the reboot command to reboot the system.
Note: You will see that a non-root user can reboot the system. You should also be able to use the halt and poweroff commands.
3. Assume root by using the su command. As root, change to the /etc/security/console.apps/ directory.
4. Using a text editor enter the following into the /etc/security/console.apps/poweroff file:
USER=ROOT
SESSION-TRUE
5. Now log back in as student
6. Try using the poweroff command. Notice that student can no longer use this command.
7. Now, make the same changes to the halt command by changing the values to USER=root and SESSION=true.
8. From another computer, open a Telnet Session and logon to your Linux server. Enter Student as the login name, but enter the wrong password. Notice that after three attempts the system will automatically reset the connection.
Note: This default setting is effective against brute force attacks.
9. Log on as root. Open linuxconf and go to User Accounts | Policies | Password and account policies icon. Notice the default minimum length for a password is six characters, and there are no minimum non-alphanumeric characters required.
10. Click the Params tab.
11. Note that no password aging settings are set.
Configuring and Audit Policy & Manage your Event Logs
Learning Outcome
Implement procedures to secure and monitor audit logs and set system administrator alerts
Recommended Resources for Learning Activity
Windows 2000 Server
Recommended Instructor Preparation for Learning Activity
It is recommended or helpful that students have a good understanding the security policy MMC of a Windows 2000 Server.
Recommended Instructor/Student In-class/lab Activity
Two Part Lab.
Part I
Lab – Configure and Audit Policy
1. Click Active Directory Users and Computers from the Administrative tools menu. If auditing is to be configured on a standalone computer, click Local Security Policy from the Administrative tools menu
2. To have the domain controllers audited, right click the Domain Controllers OU. Click Properties.
3. Click the Group Policy tab and then the Edit button. If there is no group policy to edit, choose New to create a new Policy
4. In the left pane of the group policy screen, maneuver to Computer Configuration, Windows Settings, Security Settings, Local Policies, Audity Policy.
5. Double-click the event that is to be audited
6. In the Security Policy Setting dialog box, click Define these policy settings, and choose whether to audit successes, failures or both.
Part II – Filtering and Event Log to find a specific event
1. Click Event Viewer from the Administrative tools menu.
2. Right-click the log that you want to filter. Choose Properties.
3. Click the Filter tab
4. Choose the event types or any other filtering options (such as event source, category, etc.) that are needed to filter the log. Then click OK.
5. To revert back to the unfiltered view, return to the filter tab and click Restore Defaults.
Using Strong Passwords in Windows 2000
Learning Outcome
Configure their Windows 2000 servers to enforce strong passwords by configuring the Security Settings | Password Policy | Passwords must meet complexity requirement value in the Local Security Settings snap-in.
Recommended Resources for Learning Activity
For More information regarding password security:
http://www.microsoft.com/Windows2000/en/server/help/default.asp?url-/windows2000/en/server/help/windows_passwords_tips.htm
Recommended Instructor Preparation for Learning Activity
Instructor Notes on the four types or combinations of content to enforce strong passwords. Including uppercase letters, Lowercase letters, Numbers, Non-alphanumeric characters such as punctuation. Good student understanding on what is required of a strong password.
Recommended Instructor/Student In-class/lab Activity
· Capture Student Attention: Explain a dictionary attack.
Lab – Using strong passwords in Windows 2000.
1. Create a user named StrongPasswordUser with the password: password. Uncheck the user must change password at next logon check box.
2. Open up the Local Security Policy snap-in through Start | Programs | Administrative tools | Local Security Policy.
3. Select the Security Settings | Account Policies | Password Policy | Passwords must meet complexity requirements value and open it.
4. Click the Enable button to enable this policy.
5. Shut down and restart Windows 2000.
6. Try changing the password on StrongPasswordUser. Note that you are now forced to use a strong password.
Using Strong Passwords in Linux
Learning Outcome
Modify the default password policy of a Linux System.
Recommended Resources for Learning Activity
www.solucorp.qc.ca/linuxconf
Recommended Instructor Preparation for Learning Activity
Linuxconf and gnome-linuxconf need to be installed for this lab. Instructor notes on how Linux is configured by default to reject any password that resembles a “dictionary” password, which is any word that looks like a word in a standard dictionary. Make sure students exactly what a dictionary password is?
Recommended Instructor/Student In-class/lab Activity
Lab – Using strong passwords in Linux.
1. In X-Windows or at the terminal, open Linuxconf: linuxconf
2. Go to the Users accounts | Policies | Password & account policies section.
3. At the Policies tab, change the Minimum length value to 8, and the Minimum amount
of non alpha char value to 2
4. Select the Params tab and change the Must keep # of days to 2, Must change after # days to 180, Warn # of days before expiration to 15.
5. Test it by adding a new user and creating a password.
Viewing Open Ports in Windows 2000
Learning Outcome
Discover how to track open files and ports in Windows 2000 which is a possible exploit for any hacker trying to break into your server.
Recommended Resources for Learning Activity
http://www.cert.org/tech_tips/denial_of_service.html
http://rc.infotech.indiatimes.com/examples/rc/infodeta.jsp?code=134&chan=Expert%20Speak&indus=9
Fport Application.
Recommended Instructor Preparation for Learning Activity
Instructor Notes on ports and how they are vulnerable to attacks such as Denial of Service Attacks.
Recommended Instructor/Student In-class/lab Activity
· Capture Student Attention: Classroom discussion on a Denial of Service attack that crippled major sites such as yahoo.com, Amazon, com cnn.com Article can be found here --à http://www.iol.ie/~kooltek/dosattacks.html
Lab – Viewing Open Ports in Windows 2000.
1. Open up to a command prompt and locate the fport program.
2. Type the following command: fport > fportoutput.txt
3. Use Notepad to open the fportoutput.txt file. You will now see a list of all open ports on your system. Notice the information provided such as how the port is mapped to a specific process.
Protecting your OS against Dictionary Attacks
Learning Outcome
Change a Local Security Policy Snap-in to change the default settings to protect against dictionary password attacks.