Computer Network Security Lab 2 Report

# Computer Network Security Lab 2 Report > 1/c Joram Stith > > 08SEP2022 > > Mr. Macris ## Executive Summary A security analysis of two user workstations was conducted using appropriate Secure Technical Implementation Guides (STIGs) to determine the systems' level of compliance with modern security standards. The two systems investigated, a Windows 10 Workstation and a CentOS 7 Workstation, both had critical security vulnerabilities as a result of misconfigurations, specifically regarding account login policies and account lock policies. Action was taken on both machines to address the vulnerabilities, and a checklist for each operating system was developed based on appropriate STIGs for future use in securing other workstations. ## Introduction A secure system is only as strong as its secure implementation. Enterprise networks around the world fall victim to cyber attacks because otherwise secure software is improperly configured or set up, opening the door for malicious actors to exploit computer systems. To prevent such weaknesses, it is critical that compliance assessments are conducted that measure how well computer systems are configured to industry best practices. One such way to assess configuration is using the Department of Defense's Secure Technical Implementation Guides (STIGs). These tools contain collections of best practices for a given program, tool, or operating system. STIGs are free, making a STIG compliance assessment a cost-effective safety measure for your company. This STIG assessment targets two specific computers. One is a Windows 10 workstation, and the other is a CentOS 7 workstation. Assuming computers across the enterprise network are similarly configured, performing a thorough assessment on one workstation of each operating system can reveal important areas of focus for assessments on other computers on the network. ## Background of Practitioner My background in security practitioner began with a love for programming that later brought me into the world of Cybersecurity. After years of studying, competing, and developing hands-on skills, I started working as a security practitioner out of a vocational calling to make the world a safer place. I love my work, and I am a passionate lifelong learner about Cybersecurity. New discoveries thrill me, and my desire to learn and improve speaks as loudly as any certification or degree I may have. ## Method ### Standards This compliance report follows the Department of Defense's Secure Technical Implementation Guides for Windows 10 and ContOS 7 operating systems. These STIGs were chosen because they encompass the entirety of the operating system, rather than a specific program or use case. ### Tools To analyze the chosen STIGs, the STIG Viewer tool from the Department of Defense Cyber Exchange was used. This tool was build to work with the chosen STIGs, and offers advanced features and analytics beyond the basic best practices presented in the STIGs. The workstations for this assessment were modeled using the virtual-box hypervisor and the vagrant software. This combination of software allows for quick, disposable instances of machines to evaluate. If a machine needs to be reset during the evaluation, it can be easily done so. Additionally, these tools allow an entirely offline evaluation, improving the endpoint security of the assessment. ## Assumptions ### Sampling As previously mentioned, this assessment was performed on two user workstations, rather than the entire network. This sampling assumes that all workstations on the enterprise network are similarly configured, and that the underlying security recommendations that result from this assessment can be applied to all workstations on the enterprise network. ### Active Directory This assessment works on the assumption that all workstations are active directory connected, even though the workstations created in vagrant are not. By not actually connecting these devices to active directory, the benefits outlined in the tools section are maintained. ## Summary of Action ### Overview The first machine evaluated was a Windows 10 workstation. This is the most common type of workstation on the enterprise network, as most employees use Windows for their day to day work. A selection of best practices from the Windows 10 Operating System STIG were chosen. For each best practice in the STIG, the `check text` was followed to evaluate the status of the given control for the machine. If the control was properly configured and enabled, the practice was marked as `not a finding`. If the control was misconfigured or not present, the practice was marked as a `finding`. Additionally, findings were remediated by following the instructions in the `fix text` section. The second machine evaluated was a CentOS 7 workstation. Linux workstations are less common, but critically important to secure due to their network-oriented design and unique permissions structure. Malicious actors are generally comfortable in Linux environments, and will often target Linux systems heavily if they are found in the network. A selection of best practices from the CentOS 7 Operating System STIG were chosen. For each best practice in the STIG, the `check text` was followed to evaluate the status of the given control for the machine. If the control was properly configured and enabled, the practice was marked as `not a finding`. If the control was misconfigured or not present, the practice was marked as a `finding`. Additionally, findings were remediated by following the instructions in the `fix text` section. An example of a best practice in the **STIG viewer** software is below: ![](https://i.imgur.com/t4OMQcQ.png) ### Windows 10 System The following is a list of best practices analyzed on the Windows 10 Machine. For each best practice, the finding status and action taken (if appropriate) is indicated. Screenshots with proof of the fixed control are available in appendix (1). | STIG ID # | Finding Status | Fix Implemented? | Description | | -------- | -------- | -------- | ----- | | [V-220697](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220697) | Not a Finding | N/A | Use Win. 10 Enterprise if AD-joined | | [V-220856](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220856) | Finding | Yes | Prevent changing installation options | | [V-220748](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220748) | Finding | Yes | Audit Credential Validation Failure | | [V-220749](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220749) | Finding | Yes | Audit Credential Validation Success | | [V-220751](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220751) | Finding | Yes | Audit User Account Mgmt Failure | | [V-220753](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220753) | Finding | Yes | Audit PNP Activity Success | | [V-220754](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220754) | Finding | Yes | Audit Process Creation Successes | | [V-220755](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220755) | Finding | Yes | Audit Account Lockout Failure | All audit changes implemented in the `fix text` of the STIGs were accomplished through the Windows **Local Group Policy Editor**. An example screenshot of an audit control is shown below: ![](https://i.imgur.com/OSPv7c7.png) ### CentOS 7 System The following is a list of best practices analyzed on the CentOS 7 Machine. For each best practice, the finding status and action taken (if appropriate) is indicated. Screenshots with proof of the fixed control are available in appendix (2). | STIG ID # | Finding Status | Fix Implemented? | Description | | -------- | -------- | -------- | ----- | | [V-204425](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204425) | Not a Finding | N/A | Do not allow empty passwords in SSH | | [V-204442](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204442) | Finding | Yes | Do not have the rsh-server installed | | [V-204400](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204400) | Finding | Yes | Enable idle-delay for GUI lock screen | | [V-204402](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204402) | Finding | Yes | Enable inactivity screen lock on GUI | | [V-204403](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204403) | Finding | Yes | Prevent screensaver idle-activation override | | [V-204404](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204404) | Finding | No | Initiate session lock with screensaver | | [V-204405](https://www.stigviewer.com/stig/windows_10/2020-10-15/finding/V-220754) | Not a Finding | N/A | Enable pam.d system-auth for `passwd` | | [V-205504](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204504) | Not a Finding | N/A | Shut down on audit processing failure | | [V-204407](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204407) | Finding | Yes | Passwords must have upper-case char | | [V-204408](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2021-03-01/finding/V-204408) | Finding | Yes | Passwords must have lower-case char | All audit changes implemented in the `fix text` of the STIGs were accomplished through the Linux terminal using a **Bash Shell** . An example screenshot of an audit control is shown below: ![](https://i.imgur.com/JKQNyC6.png) ## Highest Impact Controls The evaluated controls demonstrated many misconfigurations in both the Windows 10 System and the CentOS 7 system with regard to audit policies. Well configured audit policies are a critical part of a secure network, as they enable detection and documentation of breaches. Additionally, well configured audit policies can inform security analysts of attempted attacks before they are successful, preventing a breach entirely. The assessment also demonstrated misconfigurations with regard to password policy on the Cent OS 7 operating system. Enforcing strong password policy can greatly improve the security of your workstations. ### Windows 10 STIG Results (after remediation) ![](https://i.imgur.com/IFv1MYK.png) ![](https://i.imgur.com/jU229h7.png) ### Cent OS 7 STIG Results (after remediation) ![](https://i.imgur.com/gmfo5wQ.png) ## Recommendations Based on the assessment, I recommend taking the following actions to improve the security of your enterprise workstations: **Windows 10 Enterprise** - Enforce best practice audit policies IAW the Windows 10 Enterprise STIG - Limit user permission to change windows policies that don't relate to their use cases **CentOS 7 Workstation** - Enforce best practice policies with regard to lock screen, timeout, and screensaver policies IAW the Cent OS 7 STIG - Linux machines are often used for web services, and must be left running for long periods of time. If these machines do not properly secure themselves, physical access or remote desktop tools can be an effective threat vector for a malicious actor. - Enforce best practice password complexity policy, requiring different kinds of characters and a minimum length. ## Conclusion In conclusion, the Windows 10 Enterprise and CentOS 7 Workstations on your enterprise network are not properly configured IAW the best practices outlined in their respective STIGs. I recommend you take action based on the best practices in the STIGs, specifically regarding audit policy and password complexity policy. Finally, the most important recommendation is to continue pursing security in depth. No single evaluation or assessment will fully evaluate the security posture of your company, nor will a single set of fixes secure your network for all time. The best enterprise security is iterative, implemented and changed over time in response to an evolving threat landscape. # Appendix ## Appendix (1) Windows 10 STIG POCs ### 1. Fix for V-220697 Not a finding (N/A) ### 2. Fix for V-220856 ![](https://i.imgur.com/OSPv7c7.png) ### 3. V-220748 ![](https://i.imgur.com/HnxTr9p.png) ### 4. V-220749 ![](https://i.imgur.com/r5dDRS4.png) ### 5. V-220751 ![](https://i.imgur.com/NJHdZWA.png) ### 6. V-220753 ![](https://i.imgur.com/Re6saKd.png) ### 7. V-220754 ![](https://i.imgur.com/G63civA.png) ### 8. V-220755 ![](https://i.imgur.com/KN9s103.png) ### Appendix (2) CentOS 7 STIG POCs ### 1. V-204425 Not a finding. ![](https://i.imgur.com/JKQNyC6.png) ### 2. V-204442 ![](https://i.imgur.com/MV0n2eV.png) Finding, fixed. ![](https://i.imgur.com/vNHaTZC.png) ### 3. V-204400 ![](https://i.imgur.com/BjZauQ6.png) Is a finding... Fixed ![](https://i.imgur.com/7OoGxaE.png) ### 4. V-204402 Found and fixed (same way) ![](https://i.imgur.com/NNfk3xP.png) ### 5. V-204403 ![](https://i.imgur.com/9t9ArIF.png) ### 6. V-204404 Is a finding, fix failed so it's just gonna stay broke ### 7. V-204405 Good to go ![](https://i.imgur.com/YrcmxJW.png) ### 8. V-205504 Good to go ![](https://i.imgur.com/Ycwcr8B.png) ### 9. V-204407 Fixed ![](https://i.imgur.com/z1zZZL4.png) ### 10. V-204408 Fixed ![](https://i.imgur.com/9pQM5wn.png)