UCS and security hardening

Knowledge Base Community
, ,
#1

UCS Security Hardening - A Collection

This is a collection of security related best practices and configurations for Univention Corporate Server.

The first draft of this guide originated from a project with a customer to make UCS compliant with the Payment Card Industry Data Security Standard (PCI DSS). All mentioned PCI DSS requirements refer to version 3.2 of PCI DSS. The security requirements of PCI DSS can of course also be used as a guideline for organisations that don’t deal with payment card data, but please be aware that compliance to a standard does not necessarily increase the security in every case. Please don’t blindly follow this guide. Review every setting and make sure you understand the consequences. It is recommended to perform your own risk analysis and then apply those security measures that are relevant to your situation.

Disclaimer:
This collection comes WITHOUT WARRANTY and WITHOUT ANY CLAIM OF COMPLETENESS.
Feel free to report errors below in the comments. Contributions are welcome :slight_smile:

This collection was written for UCS 4.2 and therefore might be outdated. Updates are marked with there respective date.
If you are running an older version of UCS we strongly recommend to upgrade to the latest version to benefit from the recent security improvements and up-to-date packages (e.g. GnuTLS and OpenSSL, just to name a few).

Please note that security measures can only be a risk reduction. They do not a guarantee that you are safe from attacks or data breaches.

General rules

This is independent from UCS, but overall security needs to be taken into account, of course.

PCI DSS has the following overall requirements:

  • Maintain a secure network
    • For Firewalls, Routers, Switches, Printers, BIOS/UEFI, Lights Out Management (LOM) → replace default passwords, replace/review default settings
  • Protect sensitive information (e.g. cardholder data)
    • encryption at rest (e.g. encrypted LVM)
    • encryption in transmit (e.g. enforcing encrypted network traffic)
  • Maintain a Vulnerability Management Program
    • Protect all systems against malware
    • Develop and maintain secure systems and applications
  • Implement strong Access Control
    • Restrict access to sensitive data
    • Identify and authenticate access to system components
    • Restrict physical access to sensitive data (e.g. lock up your server room)
  • Regularly monitor and test Networks
    • Track and monitor all access to network resources and sensitive information
    • Regularly test security systems and processes (config file integrity monitor, vulnerability scanner, pen-testing …)
  • Maintain an Information Security Policy
    • Maintain a policy that addresses information security for all personnel

Independently of PCI DSS:

  • Have a look at Enterprise — Decent Security for a collection of good practical advice
  • Disable all services that are not explicitly relevant
  • Use SSH-Keys where possible instead of password login. If applicable disable remote root login and remote password based login
  • Use different passwords for root and Domain Admins (to separate machine and domain administration)
  • Use different passwords for root on each system (to avoid lateral movement of an attacker)
  • Do not use Administrator and root for daily operation. Use personalized administration accounts instead (e.g. with sudo).
  • Use separate administration accounts for Domain controller and client administration
  • IT staff uses un-privileged accounts for their usual tasks (e.g. reading mail) and only use privileged accounts if necessary (e.g. adding a new user)
  • Have a look at this Univention blog post that also deals with reducing attack vectors with focus on Kerberos and Pass-the-hash
  • Have recent backups
    • Limit access to backups (control access, encrypt them)
    • Ensure you can restore your backups

Basic settings

  • Integrity monitoring - you need to know when things change and who changed what.

    • For the changes made to the OpenLDAP directory, use univention-directory-logger. This is part of the default UCS features (no additional costs) but needs to be installed manually:
      univention-install univention-directory-logger
    • Use a component that logs all (privileged) commands executed on the shell
      • e.g. Snoopy Logger to log all executed commands (+ arguments) to syslog
      • or auditd, the Linux Audit System

  • Use a configuration file monitoring such as OSSEC, Tripwire or etckeeper

  • Use a central monitoring tool with alerting and reporting (for PCI DSS compliance, there is http://www.wazuh.com/pci-dss/)

  • Keep an eye on all session timeouts. You might to ensure that people are logged out after a certain time of inactivity (e.g. if an admin forgot to lock their desktop). Please balance the pros and cons here. Short timeouts force people to re-enter their passwords more often which is a higher risk for so-called Shoulder Surfing.
    PCI DSS allows max. 15 minutes (900 seconds) of idle time.

    • Since UCS 4.2 the UMC session timeout defaults to 28800 seconds (8 hours) and needs to be adjusted. The timeout can be altered via the UCR variable umc/http/session/timeout
    • SSH sessions are closed after 3 x 60 seconds (= 3 minutes) of inactivity by default. This value can be altered via these two UCR variables:
      • sshd/config/ClientAliveInterval (defaults to ‘60’)
      • sshd/config/ClientAliveCountMax (defaults to ‘3’)
      • Please note that this configuration does not apply if a terminal multiplexer like screen or tmux is used, which keep the session alive.
    • If the UCS Self Service is used, the token lifetime has to be reduced to 15 minutes (umc/self-service/passwordreset/token_validity_period)

  • Password policy

    • PCI DSS requires at least 7 characters, a password history of at least 4 and a validity of max. 90 days.
    • The UCS default is at least 8 characters, a password history of 3 and an unlimited validity. Learn more about password policies in UCS. Please balance the pros and cons here. Short validity of passwords might be counterproductive, because people start noting down their passwords.
    • PCI DSS requires to activate a password complexity check. To enable this on UCS, use the check mark at the user object. To alter the complexity requirements, use these UCR variables:
      • password/quality/credit/digits
      • password/quality/credit/lower
      • password/quality/credit/other
      • password/quality/credit/upper
        → Example: if password/quality/credit/digits is set to 3, the password must contain at least 3 digits.
        → change at least three of the UCR variables to the value ‘1’ to meet the PCI DSS requirements.

  • PCI DSS requires at least SHA-256 as password hash algorithm. Current UCS versions use SHA-512 by default. For LDAP user accounts, check the following UCR variable, especially if you installed with an older version of UCS:

    • password/hashing/method

  • Possible values also include SHA-512 and bcrypt since 4.4-7 errata 887 (updated 03-2021)

  • If you have not changed the password of local (non-LDAP) accounts such as root after updating to UCS 4.1-3 errata 302, their passwords might still be hashed with md5crypt. Please change the password after updating to a recent UCS version to automatically change the hashed password to sha512crypt.

  • Account deactivation

    • PCI DSS requires that user accounts MUST be deactivated after 90 days of inactivity
    • There is no automated way to identify unused accounts in UCS or Active Directory and disabling them. This needs a custom check.
      • useful OpenLDAP attributes might be: sambaPwdLastSet, krb5PasswordEnd
      • useful Samba/AD attributes: lastLogon, lastLogonTimestamp
      • Account deactivation is represented in UDM in the property disabled, which can be checked on a per account basis e.g. by running udm users/user list --filter uid=<username> | grep disabled

  • Account lockout

    • PCI DSS requires that users MUST be locked out from accessing systems and services after 6 unsuccessful login attempts. The lockout duration has to be at least 30 minutes or until an administrator enables the user account again. This can be configured in UCS via the faillog feature.
    • Please note, that if Samba is used as Active Directory Domain Controller, additional steps have to be made to also activate the account lockout feature of Active Directory (see Account Lockout Policy | Microsoft Learn for details).

  • Password reset

    • if an Administrator needs to reset a user password, the user MUST be forced to set a new one at the next login. UCS comes with a ceckbox at the user account for this.

  • Further SSH configuration

    • sshd/Protocol MUST NOT be “1” (UCS default is SSH protocol version 2)
    • SSH access for root SHOULD be disabled (sshd/permitroot). Before you lock out root, make sure you can log in with another account.
    • SSH X-Forwarding MUST be disabled (sshd/xforwarding)
    • The following UCRVs should meet modern defaults (recommendations where updated 03-2021):
      • sshd/Ciphers: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr
      • sshd/MACs: hmac-sha2-256,hmac-sha2-512
      • sshd/KexAlgorithm: diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    • It is recommended to renew the SSH keys with a minimal length of 4096 Bit:
      • sshd/HostKey/rsa=4096 && univention-openssh-recreate-host-keys

  • System time

    • For monitoring and auditing reasons, it’s important that all system clocks are in sync.
    • You MUST configure at least one external time server for the UCS Master (timeserver). Other UCS server roles will default to use the UCS Master as upstream time server.
    • PCI DSS requires that NTP must be configured with peers (bi-directional sync between servers of same stratum inside a corporate network for redundancy). For UCS, that means you will have to modify the UCR template of ntp.conf)

Services that might store sensitive data

Samba in General

Deactivate server side support for SMB1

There are several versions of the SMB protocol. The protocol level SMB1 has several security issues and should be deactivated. Starting with UCS 5.0 it is disabled by default. The protocol level SMB1 is called LANMAN1 in Samba smb.conf or testparm output. The minimum protocol level supported by a UCS/Samba server can be raised to SMB2 by setting

ucr set samba/min/protocol="SMB2_02"

and restarting Samba by running /etc/init.d/samba restart.

Deactivate Netbios service

The Netbios protocol is used by Microsoft clients to fill the list of systems in the network environment of the Windows Explorer and to resolve short netbios names, like the name of the workgroup. If you don’t need that and use DNS only (using FQDNs is required for Kerberos anyway), it may be a good idea to deactivate the nmbd service in UCS/Samba by running

/etc/init.d/samba stop
ucr set nmbd/autostart=no
ucr set samba4/service/nmb=s4
/etc/init.d/samba start

Samba Active Directory Domain Controller

Consider setting ms-DS-MachineAccountQuota to 0 if you don’t actually need that feature. The current value can be checked with univention-s4search -s base ms-DS-MachineAccountQuota.

UCS systems installed before UCS 5.0 may still have the parameter acl:search set to no in /etc/samba/smb.conf. You should consider changing that by running ucr set samba/acl_search=yes on each UCS Samba/AD server (i.e. Primary/Master, Backup and Replica/Slave Nodes). The current value can be checked e.g. with samba-tool testparm --suppress-prompt | grep acl:search.

While there is a lot of security advice for MS Active Directory online, please be aware that not everything applies to the Samba implementation of AD. There are also recommendations that may have collateral drawbacks to be aware of. E.g. removing the Authenticated Users group identity from the Pre-Windows 2000 Compatible Access group may make memberOf backlinks in Samba/AD invisible for non-privileged users. This may be fine, but should be checked carefully.

One of the useful general tips for the hardening of Active Directory domains is to enable LAPS.

Samba uses GnuTLS for TLS based transport encryption. The used TLS ciphers can be configured to exclude broken protocols and algorithms:

samba/tls/priority: <empty>
 This variable can be set to a string describing the TLS protocols to be
 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
 The string must be in the format of a GnuTLS supported priority string
 (see man smb.conf)

The default is NORMAL:-VERS-SSL3.0, which excludes SSLv3.

For more information on GnuTLS and its priority strings see: Priority Strings (GnuTLS 3.8.3) and GnuTLS Priority Strings - lighty's life

You can test the current configuration:

univention-install gnutls-bin                                     # install the CLI package
gnutls-cli -l                                                     # lists all available ciphers
gnutls-cli --priority "NORMAL:-VERS-SSL3.0" -p 636 $(hostname -f) # connect to the Samba/AD service

A more strict configuration that only allows TLS 1.2 with AES GCM would be:
ucr set samba/tls/priority="NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-CIPHER-ALL:-SHA1:-MD5:-RSA:-ARCFOUR-128:+AES-256-GCM:+AES-128-GCM:%SERVER_PRECEDENCE"

Important: This configuration has not been tested for broad client compatibility and will likely deny access to older clients such as Windows XP.

To be able to use Diffie-Hellman key exchanges, we need a DH-Param file:

samba/tls/dh/params/file: <empty>
 This variable can be set to the name of a file with Diffie-Hellman parameters
 (PEM format) which will be used with EDH ciphers (see man dhparam).
  • openssl dhparam -out /etc/univention/ssl/samba_dhparams.pem 2048
  • ucr set samba/tls/dh/params/file="/etc/univention/ssl/samba_dhparams.pem"

For security reasons, the SMB signing should be mandatory and we should disable NTLMv1 and disable SMBv1:

ucr set samba/server/signing='mandatory' \
        samba/ntlm/auth='no' \
        samba/min/protocol='SMB2' \
        samba/client/min/protocol='SMB2'
Active Directory password history and default grace priod after changing passwords

If the domain has activated a password history in Samba, then after changing a password, Samba
by default allows logging in with the previous password via NTLM network authentication (i.e. not via kinit, e.g.)
for a grace period which by default is 60 minutes.
This is Microsoft Active Directory conforming behavior, see NTLM network authentication changes - Windows Server | Microsoft Learn .
The grace period can be adjusted (e.g. to 0 minutes) by setting the parameter old password allowed period in the Samba configuration. This can be done e.g. by running

echo -e "[global]\n\told password allowed period = 0" >> /etc/samba/local.conf
ucr commit /etc/samba/smb.conf
/etc/init.d/samba restart

Since this is a local setting, influencing the local domain controller, it needs to be adjusted on each UCS Directory Node which is running as Samba AD DC individually.

OpenLDAP

OpenLDAP uses OpenSSL for TLS based transport encryption. The used TLS ciphers can be configured to exclude broken protocols and algorithms:

ldap/tls/ciphersuite: <empty>
 This configures the cryptopgraphic algorithms which are offered to clients
 during a SSL handshake. The format is described at
 <http://www.openldap.org/software/man.cgi?query=slapd.conf>.
 If the variable is unset, 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' is used.

ldap/tls/minprotocol: <empty>
 This configures the minimum version for the SSL/TLS protocol. For TLS
 1.0/1.1/1.2 the value 3.1/3.2/3.3 must be specified. Default is 3.1 for TLSv1.0.

The TLS protocol version SHOULD be upgraded to at least TLS 1.2:

ucr set ldap/tls/minprotocol='3.3'

Other important UCR variables:

  • ldap/tls/dh/cron: <empty>
    Cronjob interval for recreating DH parameter files (forward secrecy).
  • ldap/tls/dh/paramfile: /etc/ldap/dh_2048.pem
    This configures the name of the file containing the parameters for Diffie-Hellman ephemeral key exchange. Default is /etc/ldap/dh_2048.pem.
  • ldap/tls/dh/restart: <empty>
    Automatically restart the LDAP server, after a new DH parameter file has been generated. Disabled by default.

Apache

It is recommend to enforce HTTPS and configure Apache to only offer modern TLS ciphers, e.g.:

apache2/force_https: yes
apache2/ssl/ciphersuite: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
apache2/ssl/honorcipherorder: true
apache2/ssl/tlsv12: true
apache2/hsts: yes

(updated 03-2021)

Postfix

mail/postfix/tls/client/exclude_ciphers: RC4, aNULL, MD5, DES
 List of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at all TLS security levels as described in <http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers>. Defaults to "RC4, aNULL"

mail/postfix/tls/client/level: may
 This variable configures the use of TLS encryption in SMTP: 'may' uses TLS if the other server offers it, 'none' deactivates it. Further configuration directives are documented at <http://www.postfix.org/postconf.5.html#smtp_tls_security_level>.

mail/postfix/tls/client/mandatory_protocols: !!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. (default: '!SSLv2') <http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols>

mail/postfix/tls/client/protocols: !SSLv2,!SSLv3
 List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption. (default: '!SSLv2') <http://www.postfix.org/postconf.5.html#smtp_tls_protocols>

mail/postfix/tls/preempt/cipherlist: yes
 If set to 'yes' the Postfix SMTP server uses its own cipher preference order instead of the remote client's cipher preference order.

(updated 03-2021)

see also: Hardening Postfix: Restrict Mail Transport

Dovecot

mail/dovecot/ssl/parameters_regenerate: <empty>
 How often to regenerate the SSL parameters file in hours, 0 disables regeneration. Defaults to "168" (once per week).

mail/dovecot/ssl/prefer_server_ciphers: <empty>
 Prefer the server's order of ciphers over client's. Defaults to "yes".

mail/dovecot/ssl/protocols: <empty>
 SSL protocols to use. Defaults to "!SSLv2 !SSLv3".

MySQL

The MySQL server package in UCS will automatically create and configure a password for the MySQL superuser (root) during installation. This password is stored in /etc/mysql.secret - if you change the root password in MySQL, don’t forget to also change it in that file.

After the installation, run mysql_secure_installation. This will …

  • Remove anonymous users
  • Disallow root login remotely
  • Remove test database and access to it

Depending on whether you installed mysql-server or univention-mysql, the MySQL daemon is either listening on localhost only (127.0.0.1) or on all interfaces (0.0.0.0). The latter ist useful for applications inside a Docker container. For univention-mysql you can restrict the access via the UCR variable mysql/config/mysqld/bind_address. The port is 3306 and there is NO default firewall rule. That means accessing MySQL from another system has to be allowed through a custom packetfilter rule, making it more secure by default.

PostgreSQL

PostgreSQL is usually installed via the meta package univention-postgresql. PostgreSQL is listening on port 5432 on all network interfaces (0.0.0.0) by default, but only allows connections from localhost (127.0.0.1), the Docker interface (172.17.42.1/16) and a local socket. There is also a default firewall rule that allows remote systems to access port 5432 (security/packetfilter/package/univention-postgresql-9.4/tcp/5432/all). If necessary, this default rule can be disabled and replaced by a custom iptables rule in /etc/security/packetfilter.d/50_local.sh.
To access the databases, you need to use the user postgres (or a dedicated user per database).

UMC

Starting with UCS 4.2 errata 64, SSLv3 is now disabled for the UMC server (Port 6670). The OpenSSL ciphers can be configured via the UCR variable umc/server/ssl/ciphers.

9 Likes
Absicherung von UCS
Ucs Security configuration
Wie http*S* erzwingen?
SMB2 forcing Strange behavior on UCS
Status of Samba Security update November 2021
Change url from /univention to something different to hide mgmt interface
Make LDAP/AD in intranet available to webapplications in extranet
About UCS dashboard alerts
Password expiration and remote users
Security - Absichern von einem UCS 5.X Server (INTERNET)
Recommendation for Samba security issues CVE-2021-43566 and CVE-2021-20316
Mastodon