1 00:00:00,910 --> 00:00:02,740 We have spent a lot of time discussing 2 00:00:02,740 --> 00:00:04,200 the cloud in this section. 3 00:00:04,200 --> 00:00:05,210 But the cloud is made up 4 00:00:05,210 --> 00:00:07,360 of a lot of different types of servers. 5 00:00:07,360 --> 00:00:08,980 In this lesson, we're going to discuss 6 00:00:08,980 --> 00:00:10,740 a few specific types of servers 7 00:00:10,740 --> 00:00:12,450 that may be hosted in the cloud, 8 00:00:12,450 --> 00:00:14,560 and how you can best secure them. 9 00:00:14,560 --> 00:00:16,520 First, we have file servers. 10 00:00:16,520 --> 00:00:17,707 File servers are used to store, 11 00:00:17,707 --> 00:00:20,310 transfer, migrate, synchronize, 12 00:00:20,310 --> 00:00:22,210 and archive your files. 13 00:00:22,210 --> 00:00:23,970 Any computer can act as a file server 14 00:00:23,970 --> 00:00:25,320 in the real world. 15 00:00:25,320 --> 00:00:27,910 The server might be running Windows, Linux, 16 00:00:27,910 --> 00:00:29,910 or Mac OS X as its operating system. 17 00:00:29,910 --> 00:00:31,820 And it really doesn't matter which. 18 00:00:31,820 --> 00:00:33,310 Either way, you want to make sure 19 00:00:33,310 --> 00:00:35,590 the file server is using proper data encryption 20 00:00:35,590 --> 00:00:37,310 for its files when they're at rest, 21 00:00:37,310 --> 00:00:39,040 that the server has monitoring and logging 22 00:00:39,040 --> 00:00:40,160 being performed on it, 23 00:00:40,160 --> 00:00:42,920 and a good host-based intrusion detection system. 24 00:00:42,920 --> 00:00:45,710 You might also want to use data loss prevention applications 25 00:00:45,710 --> 00:00:46,984 to ensure the data isn't stolen 26 00:00:46,984 --> 00:00:50,189 and all of the normal configuration hardening and patching 27 00:00:50,189 --> 00:00:53,690 that we've already discussed in the past during this course. 28 00:00:53,690 --> 00:00:55,700 Second, we have email servers. 29 00:00:55,700 --> 00:00:57,700 These servers are a frequent target of attacks 30 00:00:57,700 --> 00:00:59,950 because they contain a lot of valuable data 31 00:00:59,950 --> 00:01:01,760 from within your organization. 32 00:01:01,760 --> 00:01:04,240 In a Windows environment, the most common email server 33 00:01:04,240 --> 00:01:06,140 is Microsoft Exchange. 34 00:01:06,140 --> 00:01:08,850 Microsoft Exchange and its Unix and Linux counterparts 35 00:01:08,850 --> 00:01:12,480 all support the POP3 IMAP and SMTP protocols 36 00:01:12,480 --> 00:01:14,600 for receiving and sending email. 37 00:01:14,600 --> 00:01:16,040 This means that at a minimum, 38 00:01:16,040 --> 00:01:18,490 we have at least three open ports and services running, 39 00:01:18,490 --> 00:01:21,040 but usually, there are many, many more. 40 00:01:21,040 --> 00:01:23,830 Because email servers are frequently a target of attacks, 41 00:01:23,830 --> 00:01:24,950 it's important that you ensure 42 00:01:24,950 --> 00:01:26,370 that they are securely configured 43 00:01:26,370 --> 00:01:27,530 using the hardening techniques 44 00:01:27,530 --> 00:01:29,160 discussed earlier in this course, 45 00:01:29,160 --> 00:01:31,460 that you have spam filtering applications installed, 46 00:01:31,460 --> 00:01:34,070 and antivirus, not just for the server itself, 47 00:01:34,070 --> 00:01:36,780 but also to scan and quarantine all of the attachments 48 00:01:36,780 --> 00:01:39,600 being sent or received by your users. 49 00:01:39,600 --> 00:01:41,520 Next, we have a web server. 50 00:01:41,520 --> 00:01:43,660 In the Windows environment, this is usually hosted 51 00:01:43,660 --> 00:01:45,570 by Internet Information Services 52 00:01:45,570 --> 00:01:47,380 or IIS server. 53 00:01:47,380 --> 00:01:48,600 For Linux or Mac, 54 00:01:48,600 --> 00:01:51,240 this is usually going to be an Apache web server. 55 00:01:51,240 --> 00:01:53,480 Either way, web servers are, by default, 56 00:01:53,480 --> 00:01:55,560 open to the Internet to perform their job. 57 00:01:55,560 --> 00:01:58,230 So, it's important for us to properly secure them. 58 00:01:58,230 --> 00:02:01,130 They should always be placed in your organization's DMZ. 59 00:02:01,130 --> 00:02:02,760 They should be properly firewalled, 60 00:02:02,760 --> 00:02:05,780 monitored, logged, audited, and patched 61 00:02:05,780 --> 00:02:07,112 to ensure their security. 62 00:02:07,112 --> 00:02:08,840 Always ensure that your web server 63 00:02:08,840 --> 00:02:10,970 is up-to-date with the latest patches. 64 00:02:10,970 --> 00:02:13,090 If you aren't sure what patches need to be applied, 65 00:02:13,090 --> 00:02:15,020 you can always visit the common vulnerability 66 00:02:15,020 --> 00:02:17,290 and exposure website or CVE 67 00:02:17,290 --> 00:02:19,380 that's hosted by the Mitre corporation. 68 00:02:19,380 --> 00:02:21,220 This site maintains an up-to-date list 69 00:02:21,220 --> 00:02:22,770 of every known vulnerability 70 00:02:22,770 --> 00:02:25,940 for every type of software that's on the market. 71 00:02:25,940 --> 00:02:28,740 Our fourth type of server is an FTP server. 72 00:02:28,740 --> 00:02:31,300 An FTP server is a specialized type of file server 73 00:02:31,300 --> 00:02:35,020 that's used to host files for distribution across the web. 74 00:02:35,020 --> 00:02:36,070 These servers can be set up 75 00:02:36,070 --> 00:02:38,640 to allow anonymous login and receipt of files 76 00:02:38,640 --> 00:02:41,330 or they can be secured with a username, password, 77 00:02:41,330 --> 00:02:42,910 or other credentials. 78 00:02:42,910 --> 00:02:44,680 You might want an anonymous FTP setup, 79 00:02:44,680 --> 00:02:46,890 if you're distributing your software, for example, 80 00:02:46,890 --> 00:02:49,390 or you may want a secure FTP server setup 81 00:02:49,390 --> 00:02:50,500 so that your remote offices 82 00:02:50,500 --> 00:02:52,490 can upload and download large files 83 00:02:52,490 --> 00:02:54,290 over the Internet to your network. 84 00:02:54,290 --> 00:02:56,080 If you're setting up an FTP server, 85 00:02:56,080 --> 00:02:58,370 remember to always force an encrypted connection 86 00:02:58,370 --> 00:03:01,230 using the transport layer security or TLS. 87 00:03:01,230 --> 00:03:03,340 Because if you're going to require a username or password, 88 00:03:03,340 --> 00:03:05,910 you want to make sure it's protected during transmission. 89 00:03:05,910 --> 00:03:09,430 By default, FTP runs over ports 20 and 21, 90 00:03:09,430 --> 00:03:10,710 and it passes its information 91 00:03:10,710 --> 00:03:13,690 across the web in an unencrypted format. 92 00:03:13,690 --> 00:03:16,380 If you, instead, require that TLS to be utilized, 93 00:03:16,380 --> 00:03:18,120 this will ensure that the login process 94 00:03:18,120 --> 00:03:20,380 and all of the data being sent back and forth 95 00:03:20,380 --> 00:03:23,640 remains confidential and safe from prying eyes. 96 00:03:23,640 --> 00:03:25,910 The final type of server we're going to discuss in this lesson 97 00:03:25,910 --> 00:03:27,860 is called a domain controller. 98 00:03:27,860 --> 00:03:29,030 For a Windows environment, 99 00:03:29,030 --> 00:03:31,070 this is known as Active Directory. 100 00:03:31,070 --> 00:03:32,400 In a Linux environment, 101 00:03:32,400 --> 00:03:35,150 you're likely going to use an LDAP server, instead. 102 00:03:35,150 --> 00:03:38,100 Either way, this server acts as the central repository 103 00:03:38,100 --> 00:03:40,620 of all of your user accounts, your computer accounts, 104 00:03:40,620 --> 00:03:43,360 and their associated passwords for the network. 105 00:03:43,360 --> 00:03:45,320 Because of this, hackers often target 106 00:03:45,320 --> 00:03:46,480 the Active Directory server 107 00:03:46,480 --> 00:03:48,460 as a method of privileged escalation, 108 00:03:48,460 --> 00:03:50,730 or at the very least, lateral movement, 109 00:03:50,730 --> 00:03:52,530 by gaining another administrator or user's 110 00:03:52,530 --> 00:03:55,380 account credentials and exploiting the server. 111 00:03:55,380 --> 00:03:57,070 Active Directory relies on Kerberos 112 00:03:57,070 --> 00:03:58,470 and its ticket granting system 113 00:03:58,470 --> 00:04:00,740 to conduct its user authentication functions. 114 00:04:00,740 --> 00:04:02,270 And so one common attack against 115 00:04:02,270 --> 00:04:05,670 Active Directory servers is known as the golden ticket. 116 00:04:05,670 --> 00:04:08,040 This attack uses a program known as Mimikatz 117 00:04:08,040 --> 00:04:10,070 to exploit a vulnerability in the Kerberos 118 00:04:10,070 --> 00:04:12,270 ticket-granting system, to generate a ticket 119 00:04:12,270 --> 00:04:13,820 that acts as a skeleton key 120 00:04:13,820 --> 00:04:15,860 for all of the devices in the domain. 121 00:04:15,860 --> 00:04:18,180 Hence the name, a golden ticket. 122 00:04:18,180 --> 00:04:20,280 It is basically a free pass for the attacker 123 00:04:20,280 --> 00:04:22,440 to do a lot of damage in your network. 124 00:04:22,440 --> 00:04:23,700 You want to make sure you prevent this, 125 00:04:23,700 --> 00:04:25,140 and to do this, you want to ensure 126 00:04:25,140 --> 00:04:26,500 that the Active Directory controller 127 00:04:26,500 --> 00:04:28,080 is up-to-date on its patches, 128 00:04:28,080 --> 00:04:29,730 its configurations are hardened, 129 00:04:29,730 --> 00:04:33,897 and that it's secure and in place in your network.