Solved

hardening of NTP & DNS servers

Posted on 2014-02-22
6
1,694 Views
Last Modified: 2014-02-25
Currently we have the following in our Redhat NTP servers.  
server xx.pool.ntp.org
restrict xx.pool.ntp.org nomodify notrap nopeer noquery
server 0.yy.pool.ntp.org
restrict 0.yy.pool.ntp.org nomodify notrap nopeer noquery
server 1.yy.pool.ntp.org
restrict 1.yy.pool.ntp.org nomodify notrap nopeer noquery

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more commonly used &
will not cause disruption:
http://www.brennan.id.au/09-Network_Time_Protocol.html

Q2:
We have Cisco routers/devices acting as NTP server, what are
the hardening commands/settings that generally people apply?

Q3:
We have Windows 2008 R2 & Redhat Linux running as DNS.
What are the hardening needed (& how to verify the hardening
has been implemented) to harden the DNS (not the OS but the
DNS function)
0
Comment
Question by:sunhux
6 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
Comment Utility
don't allow ntp/dns requests from outside the local area network.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 170 total points
Comment Utility
Hardening as was pointed out by dAvid deals with services that are generally accessed from outside your network.

Your question suggests only one answer which is you need to harden the workstations as they have to be compromised through a user accessing a compromised site that in turn compromises the workstation or you have a rogue user with access on the network.

Make sure your systems/routers have the vendor released updates/security fixes.
Nanog is a good network related security publication.  Cert.org deals with system/OS notifications.

On your DNS, some use forwarders, while letting your systems go and fetch all records uses more bandwidth, it "reduces" the risk should the forwarder when one issued was poisoned with invalid/wrong records.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
Comment Utility
The most effective hardening is least privilege operation..  run as a standard user and only sudo or run as administrator for tasks that require administrator priviledges .. Over 90% of the windows attacks are mitigated by running as a standard user.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 61

Accepted Solution

by:
btan earned 230 total points
Comment Utility
For the DNS, you may want to check out slide which highlights the security considerations for the DNS and you may want to focus on the section on DNS Hardening part covering - local file system,application, managing access control

http://www.academia.edu/3065550/DNS_Security_and_Hardening_-_Linux

Also Cisco shared more information on locking down (believe you have also saw the US CERT DNS amplification advisory in your past EE posting)
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

It also stated others (such as Team Cymru) also provides specific like a Secure BIND Template that operators can use as a guide for hardening their DNS servers. The official list of unallocated Internet addresses is maintained by Team Cymru. Additional information about filtering unused addresses is available at the Bogon Reference Page.


For NTP aspects, Cisco site shares more also which we may want focus on
- configure ACLs to restrict access to the NTP services on the providing device.  
- configure your NTP servers and clients to use authentication

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Excerpt

Make sure all routers use NTP to synchronize their time.

On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Also for NTP consideration which is can be miss out as we tend to be too focus on hardening the configuration is the stratum connection if applicable. Normally only stratum 2 servers should connect to stratum 1 server. The loss precision by having inconsistency in connection due to abuse may indirectly leads to servers whose hosted applications that require more precision than that of a normal computer network, to miss the sync and can impact the business running. OF course, it is ideal that such applications can also consider receiving its time code via a multitude of trusted sources.
0
 

Author Comment

by:sunhux
Comment Utility
Think I've got most of the answers, just 2 more:

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more
commonly used & will not cause disruption:
  http://www.brennan.id.au/09-Network_Time_Protocol.html

Is there any hardening on Windows 2008 R2 that act as AD
/DNS (not Windows hardening but AD/DNS) ? Excuse me if
I did not get your point
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 170 total points
Comment Utility
Your hardening concentration seems to be in the wrong emphasis.  I.e. In a car you are focusing on how to harden the controls on the heater/AC and radio rather than hardening the entry points.
Both antp and DNS teased on your question are internally used and do not see direct requests from unknown sources.  Maintaining them up to date will deal with DNS poisoning where acces sitea redirects the queries to fictitious sites.  Similarly with NTP configuring them to use trusted sources, or eliminating any external source, configure one or two internal systems as an ntp server to which the remaining will synchronize.

As to your latest question, pick the one you are comfortable with unless you choose an untrusted external DNS server to which your DNS will forward its requests or an an untrusted NTP reserved! you should be fine,  (the impact of an untrusted NTP deals with Time shift/drift.  Usually The local system will not allow a single large deviation I.e. A 30 minute shift might be the largest in one step.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
OfficeMate Freezes on login or does not load after login credentials are input.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now