Home
[Security] - List of weakpoint need review/consider to resolve
Tuesday, June 17, 2025
There is a list of weaknesses of Linux and Windows servers. Administrators should consider and resolve it.
[Linux Server]
1. Disable Telnet Service on Opertion
- We should consider disable Telnet service because Telnet is not safe and contains many dangerous security risks.
2. System logging Setting According to Policy
- Check log type is write correct file or not.
In there
auth, authpriv, corn, daemon, kern, lpr, mail, news, syslog, user, uucp and local0 is operation log => write to operation log
alert, crit, deberg, emerg, err, info, notice, warning => message priority log should write to dev/test log.
$ vi /etc/rsyslog.conf
Ex:
*.alert /var/log/syslog.log
=> *.alert /dev/console
Alert: situation that requires immediate action
3. Change Community String of SNMP
$ vi /etc/snmp/snmpd.conf
Change "public" to another secret string.
Before: com2sec notConfigUser default public
After: com2sec notConfigUser default <your secret string>
4. Remote terminal connection timeout setting
Set timeout for terminal session
//For specific user
$ vi /home/<user>/.bash_profile
TMOUT=900 //second
export TMOUT
//For all user
$ /etc/profile.d/csh.local
set autologout=15 //Minutes
5. Management Crontab Configuration File Permission Are Insufficient
- Remove other read permission at /etc/at.deny
$ chmod o-r /etc/at.deny
- at.deny is control user using "at" command.
* The 'at' is a command that allows the users to schedule one-time tasks or recurring jobs at a specific time and date. It is mainly useful for automating the system maintenance, backups, software updates, and various administrative tasks. The 'at' command works by following queuing mechanism for the commands to be executed by the system's job scheduler at the specified time.
6. Management C Configuration File Permission Are Insufficient
- Remove other execution in C compiler
$ chmod o-x /usr/bin/gcc /usr/bin/cc
- If you don't use C compiler, can remove them
$ rm -f /usr/bin/gcc /usr/bin/cc
7. World Writable file in home
- We must review all permission file in home of user and check world writable.
- World writable mean that other user/anyone can edit the file.
$chmod o-w <file_name>
$ rm -rf <file_name> // if exist file not used
8. Insufficient owner or permmission for user environment files
- we should review all environment file permission or right owner.
$ cd /home/<user_ name>
$ ls -al
$ chown <username> <file_name> // change file owner if incorrect owner
$ chmod o-r,o-w <file_name> // remove other write/read permission if file have
These user environment files:
-rw-------. 1 hqt hqt 2008 Jun 18 15:59 .bash_history
-rw-r--r--. 1 hqt hqt 18 Jan 24 2023 .bash_logout
-rw-r--r--. 1 hqt hqt 141 Jun 18 16:20 .bash_profile
-rw-r--r--. 1 hqt hqt 492 Jan 24 2023 .bashrc
-rw-------. 1 hqt hqt 20 Feb 10 14:15 .lesshst
-rw-------. 1 hqt hqt 8277 Jun 19 10:20 .viminfo
-rw-r--r--. 1 hqt hqt 658 May 15 2022 .zshrc
9
9. Access control and management of system log
- Review all log permission and owner
$ cd /var/log
$ ls -al
Review one by one log file and change owner to "root" and permission file should be 644 (rw-r--r--)
$ chown root <log_file>
$ chmod 644 <log_file>
10. Su command usable group restriction
Check the "wheel" group and the right access user
$vi /etc/group
Require a user to be in the "wheel" group. Uncomment the red one.
$ vi /etc/pam.d/su
11. Cron service usage account limit
We should check the account using cron and the correct usage of cron.
$ vi /etc/cron.allow
$ vi /etc/cron.deny
==================================================================
[Windows server]
1. Set timeout of RDP and Terminal session
- Should set timeout of each session when user remote to server. Ex: 15-30 min for each session
How to config:
- Config RDP Timeout:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
- Config Terminal Timeout:
The relevant Registry key is typically:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
2. Set a timeout for SMB
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find :Microsoft network server: Amount of idle time required before suspending session.
- Set 0 to 15 minutes.
3. Enable Network Access with SAM Account (Security Account Manager)
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find : change Disable to Enable option these item below:
Network access: Do not allow anonymous enumberation of Sam account
Network access: Do not allow anonymous enumberation of Sam account & shares
4. Check and stop unessarry services running
- Run > type Services.msc
- Check all services are running and review which services are unnecessary and disable them
Ex:
- World Wide Web Publish
- NetBIOS
- FTP
- Alerter
- Automatic Updates
- Clipbook
- Computer Browser
- Cryptographic services
- DHCP Client
- Distributed link tracking client, servers
- DNS Client
- Error reporting services
- Human Interface device access
- IMAPI CD-Burning COM service
- Messeneger
- Net Meeting remote Desktop Sharing
- Portable Media Serial Number
- Print Spooler
- Remote Registry
- Simple TCP/IP services
- Wireless Zero Configuration
5. CGI path permission in IIS
- Go to IIS > Sites > Right Click > Edit Permission
- Change permission of CGI path
- Remove Everyone permission, should grant to Admin/System user.
6. Remove Handler Mapping in IIS
- Go to IIS > Sites > Select [Site]
- Select Hanlder Mapping
- Remove path below: .htr (Web-based password reset), .idc (internet database connector), .stm, .shtm, .shtml, .printer (internet printing), .htw, .ida, .idq (index server)
7. Rename of Administrator account
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find : Account: Rename administrator account
=> Set another name that is difficult guess
8. Disable Unnecessary Task Scheduler
- Review and disable the unnecessary task scheduler.
9. Don't display last sign-in
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find : Account: Interactive logon: Don't display last signed-in
- Change disable => enable
10. Set ScreenSaver Display Time
- Should set the time to less than 10 minutes.
11. Insufficient access restrictions for security management network services
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > User Rights Assigment
- Find: Access this computer from the network
- Check and review User or User Group that remove unnecessary.
Ex: Remove Everyone user.
12. SNMP Service
- Review and stop SNMP service if don't use in services.msc
13. IIS - set error page
Should set error page for each error code: 400, 401, 403,...
- IIS > Sites > select [sites] > Error page > Set error page for each status code
14. Allow user authentication local logon
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > User Rights Assigment
- Find: Allow log on locally
- Check and review another User/Group except "Administrator"
15. Security Management System Usage Precautions
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find: Interactive logon: Message text for users attempting to log on
- Set a warning message/policy/notice...
is updating....
Bài liên quan
Comments[ 0 ]
Post a Comment