8.7.8 Lab – Configure Security Features in Windows and Linux Answers

Aug 15, 2024 Last Updated: Aug 15, 2024 Endpoint Security No Comments
Tweet Share Pin it

8.7.8 Lab – Configure Security Features in Windows and Linux

Objectives

  • Part 1: Update Windows and Linux
  • Part 2: Windows Local Security Policy
  • Part 3: Configure Firewall Rules
  • Part 4: Install and Run Applications

Required Resources

  • 1 Windows 10 PC
  • This CSE-LABVM virtual machine
  • Internet access

Background / Scenario

In this lab, you will update both Windows and Linux systems. You will configure local security policy and configure firewall rules in Windows. In Linux, you will install two applications: chkrootkit and lynis.

Instructions

Part 1: Update Windows and Linux

New flaws and vulnerabilities are discovered all the time. It is a good idea to keep your PC up to date to mitigate the exploitation of the known vulnerabilities.

Step 1: Verify connectivity between the CSE-LABVM and the Windows host computer.

In this step, you will verify connectivity to the internet so that you can download updates. Furthermore, you will verify connectivity between CSE-LABVM and Windows PC so that you can perform tasks later in this lab.

a. Before launching the CSE-LABVM, select it and then choose Settings > Network. For Adapter 1, change the Attached to: option to Bridged Adapter. You can then choose the adapter. Many computers have two adapters: one for wireless networks and the other for wired networks. Choose the one your computer is using to connect to the internet.

b. Launch the CSE-LABVM and wait for it to boot.

c. On the CSE-LABVM, open a terminal and enter ip address to determine its IP address.

d. On your Windows host computer, open a command prompt and enter ipconfig to determine its IP address.

Record the IP address for both CSE-LABVM and Windows PC.
CSE-LABVM:
Your IP address will vary, but the IP address should be in the same network as the Windows PC.

Windows PC:
Your IP addresses will vary, but the IP addresses for both the CSE-LABVM and Windows host should be in the same network. For example, an IP address of 192.168.68.131/24 on the VM and an IP address of 192.168.68.119/24 on the Windows host means that they are in the same 192.168.68.0/24 network.

e. From the respective command prompts, ping a website of your choice to verify that the Windows host and CSE-LABVM can reach the internet.

f. Verify that the Windows host can ping the CSE-LABVM.

g. From CSE-LABVM, attempt to ping the Windows host. The CSE-LABVM may not be able to ping the Windows host because of the default firewall settings in Windows. You will modify the firewall rule later in this lab to allow the pings through the Windows Firewall. Press CTRL-C to stop the pings if necessary.

Step 2: Check for Windows updates.

a. In the Windows Start Menu, search for check for updates.

b. In the Windows Update window, you can review optional updates and the update history. Explore all the available options related to Windows Update and answer the following questions.

When was the last time the system checked for updates?
Answer will vary. It is probably within the last 7 days.

What are your current active hours? What will Windows do outside the active hours?
Answer will vary. It is probably between 8AM to 5PM. Windows can automatically restart the system outside the active hours.

Step 3: Linux update and upgrade

a. In the CSE-LABVM, enter the command apt-get to see list of available commands. The apt-get update command should always be done before an upgrade.

b. Enter the command sudo apt-get update to resynchronize the package index files from their sources. Enter password as the password when prompted.

cisco@labvm:~$ sudo apt-get update
[sudo] password for cisco:

c. In the terminal, enter the command sudo apt-get upgrade to retrieve and upgrade the currently installed packages with new versions available. This command will not remove currently installed packages. If the newer version cannot be upgraded, no changes will be made to the packages.

Enter password as the password if prompted. Reply y when asked if you want to continue. This upgrade process can take a few minutes.

cisco@labvm:~$
sudo apt-get upgrade
[sudo] password for cisco:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
Need to get 479 MB of archives.
After this operation, 53.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Part 2: Windows Local Security Policy (Optional)

The Windows Local Security Policy of a system is a set of information about the security of your computer. In this part, you will configure the local password policy, account lockout settings, and the audit policy.

Note: Local Security Policy comes only with Windows Pro or Enterprise editions. If you have the Home edition, you can search the internet for tutorials on ‘How to Enable Local Security Policy (secpol.msc).’ For example, the majorgeeks.com website has an excellent tutorial. If you are not allowed or would prefer not to change the Local Security Policy on you Windows host, read through this part and move on to the next part.

Step 1: Configure Local Password Policy in Windows

You have determined that the security policy for password is as follows:

  • A user must use a unique password for at least 2 changes of the password.
  • Passwords must be at least 8 characters.
  • Passwords must be changed every 90 days.
  • Can only change the password once a day.
  • A password must consist of the following four elements:

o At least one lower case alpha character.

o At least one upper case alpha character.

o At least one numerical character.

o At least one symbol character.

a. Navigate to the Local Security Policy by first searching for and opening the Control Panel.

b. Click Administrative Tools > Search for Local Security Policy.

c. Open Local Security Policy.

List a few of security policy settings:

Account Policies, Local Policies, Windows Defender Firewall with Advanced Security, Network List Manager Policies, Public Key Policies, Public Key Policies, Software Restriction Policies, and Application Control Policies.

d. Expand Account Policies and click Password Policy. Six policies are displayed in the right panel with their associated default security settings.

e. The first policy, Enforce password history, is used to set the number of unique passwords the user must enter before being allowed to reuse a password. Double-click Enforce password history to open the Enforce password history Properties window. Set the value to 2.

f. Fill in the values you should set in Local Security Policy for the remaining Password Policy security settings.

Policy Security Setting
Enforce password history 2
Maximum password age 90
Minimum password age 1
Minimum password length 8
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Note: The Store passwords using reversible encryption security setting should always be disabled. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

g. Double-click each of the policies and set the values according to your entries in the table above.

Step 2: Test the password policy security settings.

Test your password policy security settings by attempting to change the password. Try a new password that does not meet the length or complexity requirements.

a. From the Start Menu, search for Change your password.

b. Click Password. Click Change.

c. Enter your current password. Click Next to continue.

d. Enter your new password twice and provide a password hint. Make sure your new password does not meet the length or complexity requirements that you configured in the previous step. Click Next to continue.

e. Click Finish. You should be presented with a message that your new password does not meet password policy requirements. Click Close to continue.

Step 3: Configure the Account Lockout Policy security settings.

a. Navigate back to the Local Security Policy window.

b. In the expanded Account Policies and click Account Lockout Policy. Three policies are displayed in the right panel with their associated default security settings.

c. Change the default settings to the following:

  • A user must wait 10 minutes for the lookout counter to reset.
  • Users are locked out of the computer after 5 attempts to enter the correct password.

How long should the user have to wait before attempting to log back in?
10 minutes

How many times is a user allowed to attempt to login before the account is locked?
5 attempts

Step 4: Configure the Audit Policy security settings.

a. Expand the Local Policies menu, and then click Audit Policy.

b. Double-click to open the properties window for Audit account logon events.

c. In the Local Security Setting tab, notice the check boxes for Success and Failure.

d. Click the Explain tab to learn about this security setting. Click OK to close the Properties window.

e. Continue to review each security setting. Click the Explain tab for each and read what it does.

Part 3: Configure Firewall Rules

Traffic travels in and out of devices using ports. The firewall controls the flow of the traffic. Think of the firewall as a security guard who controls the inbound and outbound traffic based on the firewall rules.

In this part, you will configure Windows Defender Firewall on a Windows.

Step 1: Investigate Windows Defender Firewall

a. From the Start Menu, Search for and open Windows Defender Firewall. The default state for the Windows Firewall is On.

Note: If you are using a Windows PC that is administered by an organization, you may see the message, For you security, some settings are managed by your system administrator.

What are the benefits of Windows Firewall?
Windows Firewall can help prevent hackers or malicious software from gaining access to your computer through the internet or through your network.

b. In the left panel of the window, click Allow an app or feature through Windows Defender Firewall. In the Allowed apps and features window, programs and services that Windows Firewall is not blocking will be listed with a check mark.

Note: You can add applications to this list. This may be necessary if you have an application that requires outside communications but for some reason the Windows Firewall cannot perform the configuration automatically.

Creating too many exceptions in your Programs and Services file can have negative consequences.

Describe a negative consequence of having too many exceptions.

Answers will vary. Exceptions for a program to communicate through the Windows Firewall are like opening a hole in the firewall. Attackers use software that scans the internet looking for computers with many exceptions and open ports.

c. Click Cancel to exit the Allow apps window.

Step 2: Configure the Advanced Security features in Windows Firewall to allow echo requests.

Note: This step may not be allowed by your organization’s security policy.

In this step, you will create an inbound rule that will allow echo request packets through the firewall.

a. In the left panel of the Windows Defender Firewall, click Advanced settings.

b. In the Windows Defender Firewall with Advanced Security on Local Computer, you can configure Inbound Rules, Outbound Rules, or Connection Security Rules. You can also click Monitoring to view the status of configured rules.

c. Click Inbound Rules, and then in the Actions pane, click New Rule.

d. In the New Inbound Rule Wizard, select Custom, and then click Next twice. You should now be at the Protocol and Ports step.

e. For Protocol type, select ICMPv4, and then click Customize.

f. In the Customize ICMP Settings window, select Specific ICMP types, select Echo Request, and then Click OK.

g. Click Next three times. You should now be at the Profile step.

h. Deselect Public so the Windows PC will not respond to an echo request in a public network location, such as an internet cafe. Click Next to continue.

i. Provide a name for the new inbound rule that gives a good description of the rule and click Finish. You should now see your rule at the top of the list of Inbound Rules in the Windows Defender Firewall with Advanced Security dialog window.

j. Now the rule has created and enabled. Verify that CSE-LABVM can ping the Windows host and receive replies.

Part 4: Install and Run Applications

In this part, you will install two new applications on CSE-LABVM: chkrootkit and lynis. The application chkrootkit will be downloaded from a software repository. However, we will add a new repository so we can install lynis, provided by CISOfy.

Step 1: Install and run chkrootkit

The tool chkrootkit is used to check for signs of a rootkit on a local system. Rootkit is a type of malware that can remain hidden on your computer and can be used to cause significant damage to your device by hackers.

a. In a terminal, enter the command sudo apt install chkrootkit. Enter the password password when prompted.

cisco@labvm:~$ sudo apt install chkrootkit
[sudo] password for cisco:

b. Enter the command sudo chkrootkit to run a rootkit check.

cisco@labvm:~$ sudo chkrootkit

c. The output can be filtered to look for interested strings, such as worm. The command chkrootkit can be piped together with the command grep with the option –i to ignore the case distinction in the strings of interest.

cisco@labvm:~$ sudo chkrootkit | grep -i worm
Searching for LPD Worm files and dirs...                    nothing found
Searching for Ramen Worm files and dirs...                  nothing found
Searching for Adore Worm...                                 nothing found
Searching for ShitC Worm...                                 nothing found
Searching for Omega Worm...                                 nothing found
Searching for Sadmind/IIS Worm...                           nothing found
Searching for TC2 Worm default files and dirs...            nothing found
! cisco       32822 pts/0  grep --color=auto -i worm

Step 2: Install Lynis

lynis is security tool for systems running Unix-based OS, such as Linux and macOS. lynis will be used later in another activity to harden a Linux system. The application Lynis is maintained by CISOfy. In this step, we will add the software repository and install Lynis.

a. Copy and paste the following command into a terminal to import the key from the CISOfy keyserver. This key is required to verify the integrity of your download when you download lynis:

cisco@labvm:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 013baa07180c50a7101097ef9de922f1c2fde6c4
Executing: /tmp/apt-key-gpghome.8C6X477onz/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 013baa07180c50a7101097ef9de922f1c2fde6c4
gpg: key FEBB7D1812576482: public key 'CISOfy software signing ' imported
gpg: Total number processed: 1
gpg:               imported: 1

b. Copy and paste the following command into a terminal to add the lynis repository maintained by CISOfy.

cisco@labvm:~$ echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main

c. Perform an update after adding a new repository. At the prompt, enter sudo apt-get update.

d. Use the command apt install to install Lynis.

cisco@labvm:~$ sudo apt install lynis
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following NEW packages will be installed:
  lynis
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded.
Need to get 0 B/262 kB of archives.
After this operation, 1,681 kB of additional disk space will be used.
Selecting previously unselected package lynis.
(Reading database ... 205787 files and directories currently installed.)
Preparing to unpack .../lynis_3.0.6-100_all.deb ...
Unpacking lynis (3.0.6-100) ...
Setting up lynis (3.0.6-100) ...
Processing triggers for man-db (2.9.1-1) ...

From the output, what is the installed Lynis version?
At the time of writing, it is version 3.0.6.

e. To verify the installed version, enter the command lynis show version at the terminal.

cisco@labvm:~$ lynis show version
3.0.6

f. Si vous souhaitez connaître la dernière version fournie par CISOfy, saisissez la commande suivante sur le terminal.

cisco@labvm:~$ sudo apt-cache policy lynis
lynis:
 Installed: 3.0.6-100 
 Candidate: 3.0.6-100 
  Version table:
 *** 3.0.6-100 500
        500 https://packages.cisofy.com/community/lynis/deb stable/main amd64 Packages
        500 https://packages.cisofy.com/community/lynis/deb stable/main i386 Packages
        100 /var/lib/dpkg/status
     2.6.2-1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        500 http://archive.ubuntu.com/ubuntu focal/universe i386 Packages

g. You can run sudo apt-get update and sudo apt-get upgrade again to ensure that you have all the latest updates from CISOfy.

 

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments