Security and Cloud 24/7

I have done some massive research and long term deep investigations – and this Checkpoint AntiBot module has got a very high percentage of accuracy on live Malware and C&C communications residing on machines.
Those tools helped me along the way to deal and remove those evils in a haystack (besides the obvious Format c: /q ).
It has also a knowledge base containing everything you need to know about those evils and their families.
For more information on what was my methodology of my research and with what tools i used -you can write to my email
https://www.checkpoint.com/solutions/malware-portal/fighting-tools-guides.html

N-Joy
Roy Coren,
Security Specialist
[email protected]

One of the most common definitions for the term DLP (Data Loss Prevention or Data Leakage Prevention) is “systems that identify, monitor, and protect data through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing and recipient/destination and so on) and with a centralized management framework.”

Purpose of this article
Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.

Common Data Locations and States

• Data in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet
• Data at rest – Data that resides in files systems, databases and other storage methods
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices)

Examples of sensitive data:

• Confidential and/or proprietary data, for example: processes, methodologies, development code and etc.
• Customer and employee data
• Financial data
• Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA

Common Data Leakage Channels:
Technical side:

• Email Traffic – SMTP from mail servers
• Web mail (Gmail, Yahoo, etc)
• Uploading files to internet destinations (HTTP, HTTPS, FTP)
• Posting on internet sites (blogs, social media, forums)
• Instant messaging (gTalk, MSN, Yahoo, Skype)
• P2P networks
• Wi-Fi networks
• Key loggers, Trojan horses
• Multiple platform (Windows, Linux, MAC, etc)
• Application permissions (ERP, database, SaaS platforms, SharePoint)

Physical:

• Mobile devices
• Non-encrypted hard drives
• USB drives (Disk on key, external hard drives)
• Portable media (CD/DVD, floppy drive, backup tapes)
• Physical security (hard copy of documents)

Human factor:

• Lack of employee awareness to security risks
• Partners, suppliers, temporary employees and visitors
• Working from home, remote locations, internet cafe

Company’s needs to protect themselves from scenarios as mentioned below:

• Inadvertent forwarding of email containing product development or business plans to another email recipient
• An employee extracts data from a secure system and conducts the analysis on a less secure system
• Sending unreleased pricing information to the wrong email address
• Customer or competitive information sent by an employee to a third-party for financial gain
• A disgruntled employee with privileged access to sensitive information acts maliciously and steals information
• Proprietary information sent to a distributor, who might then forward it on to competitors
• Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content
• Incorrect settings of permissions of file and directory structure could allow anyone access the information

DLP solutions prevent confidential data loss by:

• Monitoring communications going outside of the organization
• Encrypting email containing confidential content
• Enabling compliance with global privacy and data security mandates
• Securing outsourcing and partner communications
• Protecting intellectual property
• Preventing malware-related data harvesting
• Enforcing acceptable use policies
• Providing a deterrent for malicious users (by creating the possibility of being caught)

How to implement DLP solution:

1. Perform risk assessment to find out:
• What type of data exists in the organization?
• Where is the data located/saved?
• How valuable is the data to the organization?
• What type of loss is the organization willing to accept?
• What are the regulatory and privacy gaps for the organization?
2. Classify the organization data:
• Top secret
• Secret
• Confidential
• Restricted
• Unclassified
3. Decide what information does the organization would like to search and protect:
• Pattern, keyword matching and dictionaries
• Document fingerprinting
• Database fingerprinting
4. Prepare data loss prevention plan:
• How to limit the damage to the organization
• How to avoid similar incidents from happening in the future
• How to report to the management, stock holders and media on the current data loss incident
5. Prepare policies, standards and procedures for handling data loss incidents:
• Scan HTTPS traffic on the gateway
• Block data from leaving the organization
• Encrypt sensitive information inside database
• Full disk encryption
• Encrypt data before sending to partners/suppliers
• Prevent use of portable media
• Employee awareness training
6. Deploy the DLP solution:
• Install a product on the gateway
• Configure SSL termination – recommended
• Configure encryption gateway for SMTP traffic – recommended
• Deploy agents on the end-points – highly recommended
7. Ongoing monitoring:
• Review incidents on regular basis (daily/weekly)
• Fine-tune the product to raise alerts on important incidents and collect all other incidents.
• Create reports on regular basis to locate top senders/targets
• Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc.

OS installation phase

1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
   sconfig.cmd
10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
12. From the command prompt window, run the command bellow:
    sconfig.cmd
13. Press “1” to join the server to the domain -> press “D” to join to domain -> specify the domain name -> click “Yes” to restart the server.
14. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
15. From the command prompt window, run the command bellow:
    sconfig.cmd
16. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
17. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
18. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
19. From the command prompt window, run the command bellow:
    sconfig.cmd
20. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
21. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
22. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
23. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
24. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
25. To install the Hyper-V role, run the command bellow:
    start /w ocsetup Microsoft-Hyper-V
26. Click “Yes” to allow the server to restart.
27. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
28. To check that the installation completed, run the command:
    oclist | find /i "Microsoft-Hyper-V"
29. Run the commands bellow to enable remote management of the Hyper-V:
    netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

30. In case you install antivirus for Server Core, add the following to the antivirus exclusions:
    • Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V.
    • Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
    • Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
    • Vmms.exe
    • Vmwp.exe

Manage Hyper-V VMs from Windows 7

1. Login to a Windows 7 client using administrative account.
2. Download and install the Remove Server Administration (RSAT) tools for Windows 7 from:
   http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
3. Open Control Panel and click Programs.
4. Click Turn Window features on or off.
5. Under Remote Server Administration Tools Role -> Administration Tools check Hyper-V Tools.
6. Launch to tools by either typing Hyper-V Manager at the Start menu or go to Start ->Administrative Tools ->Hyper-V Manager.

Virtual Machine Servicing Tool 3.0

Virtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches.
Download link:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23300

Using Authorization Manager for Hyper-V Security

Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.
Link for more information:
http://technet.microsoft.com/en-us/library/cc726036.aspx

Pre-installation notes
The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

PHP installation phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm

3. Download MySQL development RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
4. Download PHP 5.3.8 source files from:
   http://php.net/downloads.php
5. Download the latest libxml2 for PHP from:
   http://xmlsoft.org/sources/
6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
8. Move to /tmp
   cd /tmp
9. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
11. Extract the php-5.3.8.tar.gz file:
    tar -zxvf php-5.3.8.tar.gz
12. Extract the libxml2 source file:
    tar -zxvf libxml2-2.7.7.tar.gz
13. Move the libxml2-2.7.7 folder:
    cd /tmp/libxml2-2.7.7
14. Run the commands bellow to compile the libxml2:
    ./configuremakemake install
15. Move to the PHP source folder:
    cd /tmp/php-5.3.8
16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 600000
18. Copy the PHP.ini file
    cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
19. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
20. Edit using VI, the file /etc/php.ini
    Replace the value of the string, from:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
    pdo_mysql.default_socket=To:
    pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
    allow_url_fopen = OnTo:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = OnTo:
    expose_php = OffReplace the value of the string, from:
    memory_limit = 128MTo:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =To:
    open_basedir = "/www"Replace the value of the string, from:
    post_max_size = 8MTo:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
    display_errors = OnTo:
    display_errors = OffReplace the value of the string, from:
    display_startup_errors = OnTo:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0To:
    gd.jpeg_ignore_warning = 1

21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test


Drupal installation phase

1. Login to the server using Root account.
2. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
3. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE Z5J6Dw1;
GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quitNote 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
4. Download Drupal 7.7 from:
   http://drupal.org/project/drupal
5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
6. Move to /www
   cd /www
7. Extract the file bellow:
   tar -zxvf drupal-7.7.tar.gz
8. Remove Drupal source file:
   rm -f /www/drupal-7.7.tar.gz
9. Rename the Drupal folder:
   mv /www/drupal-7.7 /www/drupal
10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php

11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/drupal"
12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
13. Create the following folders:
    mkdir /www/drupal/sites/default/filesmkdir /www/private
14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
17. Select “Standard” installation and click “Save and continue”.
18. Choose the default “English” and click “Save and continue”.
19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

20. Click “Save and Continue”.
21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
22. Select “Default country” and “Default time zone”.
23. Unselect the “Update Notifications” checkboxes.
24. Click “Save and Continue”.
25. Close the web browser.
26. Create using VI the file /www/config.php with the following content:
    <?php
$databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);
?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
27. Edit using VI, the file /www/drupal/sites/default/settings.php
    Add the following line:
    include('/www/config.php');Remove the following section:
    $databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);To:
    ini_set('session.cookie_lifetime', 0);
28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."
<FilesMatch "^\..*$">
Order allow,deny
</FilesMatch>
<FilesMatch "^.*\..*$">
Order allow,deny
</FilesMatch>
# Allow "." files with safe content types
<FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
Order deny,allow
</FilesMatch>
30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    • Drupal Firewall – http://drupal.org/project/dfw
    • SpamSpan filter – http://drupal.org/project/spamspan
    • Content Security Policy – http://drupal.org/project/content_security_policy
    • GoAway – http://drupal.org/project/goaway
    • IP anonymize – http://drupal.org/project/ip_anon
    • Flood control – http://drupal.org/project/flood_control
    • Password policy – http://drupal.org/project/password_policy
    • Persistent Login – http://drupal.org/project/persistent_login
    • Secure Permissions – http://drupal.org/project/secure_permissions
    • Security Review – http://drupal.org/project/security_review
    • System Permissions – http://drupal.org/project/system_perm
    • Block anonymous links – http://drupal.org/project/blockanonymouslinks
32. From SSH session, move to the folder /www/drupal/sites/all/modules.
33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
41. Click on Save configuration.

Drupal SSL configuration phase

1. Add the following line to the /www/drupal/sites/default/settings.php file:
   $conf['https'] = TRUE;
2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
   • Secure Pages – http://drupal.org/project/securepages
   • Secure Login – http://drupal.org/project/securelogin
3. From SSH session, move to the folder /www/drupal/sites/all/modules.
4. Extract the downloaded above modules:
   tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
5. Remove the modules source files:
   rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
6. Open a web browser from a client machine, and enter the URL bellow:
   https://Server_FQDN/?q=user/login
7. From the upper menu, click on Modules -> from the main page, select the following modules:
   • Secure Login
   • Secure Pages
8. Click on Save configuration.
9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

This guide explain how to install and configure kickstart server for network based deployments of CentOS, from an NFS share.
The instructions should work the same on RedHat and Fedora.

Pre-requirement

• CentOS 5.5 DVD
• Static IP address for the Kickstart/DHCP server
• /data partition
• In case using CISCO switches, “Spanning tree port fast” must be enabled.

Installation phase

1. Login to the CentOS server using Root account.
2. Mount the CentOS DVD:
   mount /dev/cdrom /media
3. Move to the CentOS RPM folder inside the DVD:
   cd /media/CentOS
4. Run the command bellow to install the TFTP-Server:
   
rpm -ivh xinetd-2.3.14-10.el5.i386.rpm
rpm -ivh tftp-server-0.49-2.el5.centos.i386.rpm
5. Run the command bellow to install the DHCP server:
   rpm -ivh dhcp-3.0.5-23.el5.i386.rpm
6. Create new folder for the Kickstart server:
   mkdir -p /data/kickstart
7. Edit using VI, the file /etc/xinetd.d/tftp and change the following settings:
   From:
   disable = yesTo:
   disable = noFrom:
   server_args = -s /tftpbootTo:
   server_args = -s /data/kickstart
8. Run the command bellow to start the TFTP server:
   /sbin/service xinetd start
9. Run the command bellow to start the TFTP server run at startup:
   chkconfig xinetd on
10. Edit using VI, the file /etc/dhcpd.conf and add the following lines:
    ddns-update-style none;
allow bootp;
allow booting;
subnet 10.1.1.0 netmask 255.255.255.0 {
option routers 10.1.1.254;
option domain-name-servers 10.1.1.2;
next-server 10.1.1.1;
filename "pxelinux.0";
range dynamic-bootp 10.1.1.200 10.1.1.210;
}Note 1: Replace 10.1.1.0 with the correct network ID.
    Note 2: Replace 255.255.255.0 with the correct subnet mask.
    Note 3: Replace 10.1.1.254 with the correct default gateway.
    Note 4: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 5: Replace 10.1.1.200 with the first IP of the DHCP pool.
    Note 6: Replace 10.1.1.210 with the last IP of the DHCP pool.
    Note 7: Replace 10.1.1.2 with the correct DNS server.
11. Start the DHCP server
    service dhcpd start
12. Run the command bellow to start the DHCP server run at startup:
    chkconfig dhcpd on
13. Copy Boot Files
    cp /usr/lib/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /data/kickstart
14. Create a folder for the PXE menu files:
    mkdir -p /data/kickstart/pxelinux.cfg
15. Move to the CentOS DVD root folder:
    cd /media
16. Copy vmlinuz and initrd.img from the DVD to the images directory:
    cp /media/images/pxeboot/{vmlinuz,initrd.img} /data/kickstart/images
17. Create the CentOS DVD structure:
    cp -r CentOS /data/kickstart/
cp -r isolinux /data/kickstart/
cp -r repodata /data/kickstart/
cp -r images /data/kickstart/
18. Create using VI, the file /data/kickstart/pxelinux.cfg/default with the following content:
    default menu.c32
prompt 0
MENU TITLE PXE Menu
LABEL CentOS
MENU LABEL CentOS
KERNEL images/vmlinuz
append initrd=images/initrd.img vga=normal network ks=nfs:10.1.1.1:/data/kickstart/ks.cfg textNote: Replace 10.1.1.1 with the Kickstart server IP address.
19. Create an unattended installation script /data/kickstart/ks.cfg
    Note: Make sure the file starts with the following lines:
    install
nfs --server=10.1.1.1 --dir=/data/kickstartNote 1: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 2: Make sure the lines beginning with “cdrom” and “url” does not exist on the file.
    Note 3: To review ks.cfg file options, see the link:
    http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/s1-kickstart2-options.html
20. Edit using VI, the file /etc/exports and add the following line:
    /data/kickstart *(ro,no_root_squash)
21. Start the NFS service:
    service portmap start
service nfs start
chkconfig nfs on

1. Login to the server using Root account.
2. Create a new account:
   groupadd squid
useradd -g squid -d /var/spool/squid -s /sbin/nologin squid
3. Install the following RPM files from the CentOS DVD:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh cpp-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm
4. Download the latest Squid source files from: http://www.squid-cache.org/Versions/
5. Copy using SCP (or PSCP), Squid source files into /tmp
6. Move to /tmp
   cd /tmp
7. Extract Squid source file:
   tar zxvf squid-3.1.8.tar.gz
8. Move to the Squid source folder:
   cd /tmp/squid-3.1.8
9. Run the commands bellow to compile Squid from source files:
   ./configure --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-default-user=squid --sysconfdir=/etc/squid --datarootdir=/usr/share/squid --enable-http-violations

   make all

   make install  


10. Move one folder up and remove Squid source files and default content:
    cd ..
rm -rf /tmp/squid-3.1.8
rm -f /tmp/squid-3.1.8.tar.gz
rm -rf /usr/share/squid/man
rm -f /etc/squid/cachemgr.conf.default
rm -f /etc/squid/errorpage.css.default
rm -f /etc/squid/mime.conf.default
rm -f /etc/squid/msntauth.conf.default
rm -f /etc/squid/squid.conf.default
rm -f /etc/squid/squid.conf.documented
11. Change ownership and permissions on the log folder:
    chown squid:root /var/log/squid
chmod 770 /var/log/squid
12. Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
    cache_access_log /var/log/squid/access.log
cache_store_log none
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
visible_hostname server1
maximum_object_size 4096 KB
minimum_object_size 1 KB
dns_nameservers DNS_value
client_lifetime 360 minutes
pconn_timeout 360 minutes
Note 1: Replace “server1” with the Squid server DNS name.
    Note 2: Replace “DNS_value” with IP addresses of DNS servers
13. Run the command bellow to initialize the Squid:
    /usr/sbin/squid -z
14. In-order to manually start the Squid service, run the command bellow:
    /usr/sbin/squid
15. In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
    /usr/sbin/squid
16. Uninstall the following RPM:
    rpm -e gcc-c++-4.1.2-48.el5
rpm -e libstdc++-devel-4.1.2-48.el5
rpm -e gcc-4.1.2-48.el5
rpm -e cpp-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5

This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.

Installation phase

1. Install Windows 2008 R2 server (either standard of enterprise edition).

Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.

2. Login for the first time to the new server, using administrator account.
3. Start -> Run -> dcpromo.exe
4. Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
5. Allow the server to restart when the installation process completes.
6. Login to the new domain controller for the first time using domain administrator account.
7. Start -> Run -> cmd.exe
8. Write the commands bellow to synchronize the PDC emulator with external reliable time source:
   w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update

   exit

9. Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
10. Write the commands bellow to protect all OUs in the domain from accidental deletion:
    import-module activedirectory

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

    exit

11. Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
12. Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
13. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
14. Perform the above step for all other network segments reside in your organization.
15. From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
16. Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.

IPv6 DNS settings

1. In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
3. Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.

Cloud computing is the latest buzz on the Internet this days.
What does it mean to us and where does the future of Cloud computing goes?

Some background
In the mid 90’s, we had Citrix, with its vision for server based-computing.
Works similar to the Mainframe idea who came couple of decades before – you put all your resources on one server, and thin clients connect to receive resources.
Couple of years later, we had new buzz, called ASP (Application service provider), which according to Wikipedia is a business that provides computer-based services to customers over a network.
Few years later, ASP changed its name to SaaS (Software as a service), which also referred to as software on demand.
In between, we had VMware who presented to world (at least the most famous) server virtualization.

What is Cloud Computing?
According to Wikipedia, Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.
The idea of Cloud computing, enables the customers to avoid investing money on hardware and network equipment, and instead, renting usage from third-party provider.

Cloud computing has the following key features:

• Agility improves with users’ ability to rapidly and inexpensively re-provision technological infrastructure resources.
• Cost is claimed to be greatly reduced.
• Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile).
• Multi-tenancy enables sharing of resources and costs across a large pool of users.
• Reliability is improved if multiple redundant sites are used, which makes well designed cloud computing suitable for business continuity and disaster recovery.
• Scalability via dynamic (“on-demand”) provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads.
• Maintenance cloud computing applications are easier to maintain, since they don’t have to be installed on each user’s computer.
• Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis.

The confusion point and vision
People tend to confuse between companies moving their data-centers and applications toward the cloud, and actual Cloud computing providers.
A real Cloud computing provider is built from large-scale data centers around the world.
Each rack is built from cheap (to manufacture) hot-swappable hardware – it’s time to say goodbye to 1U-4U servers from all major vendors (HP, IBM, DELL, SUN, etc).
Each blade has many core CPU (4-core, 6-core and above), with allot of memory (as much as the hardware supports).
Each blade is connected to large-scale storage grid.
Everything must be redundant – you must be able to add new racks on-demand, without affecting any customer.
Servers, network equipment and storage devices must be configured in active-active clusters.
Data should be replicated on the fly between data centers across the world, in-order to provide 24/7 availability.
Guest operating system must be able to move between physical servers, transparently, as VMware introduced in its VMotion technology.
Server maintenance should be performed on schedule basis – since everything is transparent to the customer, firmware upgrades, patch management and software/application upgrades will not affect any customer.
The hardware/network/storage layer should be separated from the application layer, so that current SaaS companies will be able to integrate their current applications to the cloud era, and work transparently with Cloud computing infrastructure.

Cloud computing Achilles
The thing that drives most people off the cloud is security.
Customers can’t physically protect their hardware, since they don’t own it.
Customers having troubles protecting their data, since everything is built on virtual machines, connected to shared virtual storage.
I hope that in the near future information security professionals will be able to close this gap, and enable customers transparent, cheap and secure solutions.

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
   openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
   openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

   openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

4. Run the command bellow to backup the key store file that has a password:
   cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
   openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
   cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
   openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

• server.key – Key store file
• server.crt – Server SSL public key file
• no.pwd.server.key – Key store file (without a password)
• no.pwd.server.pem – Key store file + server SSL public key file (without a password)
• server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

Overview:
In order to maintain high security standards, identify potential vulnerabilities and evaluate the effectiveness of various security controls that were implemented within the infrastructure, it is crucial to perform periodic security assessments.

Goal:
This procedure defines the controls and steps that are required for identifying security vulnerabilities and ensuring reasonable level of security for the infrastructure and application levels.

Process:

External Facing:

1. Perform automated external application level scans on a daily basis for website and application. (e.g. McAfee Secure, Acunetix).
2. Perform automated external network level scans on a weekly basis (e.g. McAfee Secure)
3. Perform in-house, half automated scans with a vulnerability assessment tool (e.g. Qualys)
4. Execute a dedicated application level and network penetration test by a professional third party.
   This should be executed twice a year or on every major application release.

Internal:

1. Discovery: run NMAP scan on all VLANs to identify all the devices and create an asset inventory that outlines devices and services. [weekly / monthly]
2. Network and Infra vulnerabilities: Run a weekly scan with NESSUS or similar tool to identify infrastructure gap and non hardened devices.
3. Purchase and run vulnerability scanner (such as Qualys or NetIQ) – every week.
4. Patch Management:
   • Install Microsoft WSUS server to maintain security patches for Windows infrastructure.
   • Install Linux YUM server to maintain security patches for RedHat infrastructure.
   • Generate reports on weekly basis to find vulnerable systems.
5. Penetration test: run an annual internal pen-test to identify internal gaps with orientation to threats from within the organization.

Implement a Production Change Management policy that includes a hardening and implementation clearance process for new devices (e.g. addition of new network device, operating system, web server, DB server, etc).