Windows Security - escarpment.net

Download Report

Transcript Windows Security - escarpment.net 

Windows Security
Matthew Cook
http://escarpment.net/
Introduction
Loughborough University
http://www.lboro.ac.uk/computing/
Janet Web Cache Service
http://wwwcache.ja.net/
Bandwidth Management Advisory Service
Topics
•
•
•
•
•
•
•
Security Overview
Windows 2000/XP
Auditing
Operating System Patching
Baseline Security Analyzer
Incident Response
Useful Books, Tools and URLs
• Back Office Products
Security Overview
“This system is secure.” A product vendor
might say: “This product makes your network
secure.” Or: “We secure e-commerce.”
Inevitably, these claims are naïve and
simplistic. They look at the security of the
product, rather than the security of the
system. The first questions to ask are:
“Secure from whom?” and “Secure against
what?”
Bruce Schneier
Security Overview
Why bother?
• Keeping control and service availability
• Data Integrity (DPA)
• Legal Liability
• Reactive Work Loads
• Bad Public Relations
• Personal Responsibility
Windows 2000/XP
Range of secure operating systems
• Login required
• ACLs can be applied to files and folders
• Auditing and logging facilities
• Security Templates
• NTFS/EFS
• IPSec and Kerberos
Windows 2000/XP
• Install the OS offline
• Consider partitions for:
– System
– User Storage
– Services
– Logs
• Use select slipstreamed CDs
• Install only required features
• Install current, relevant SPs and hot fixes
offline
Windows 2000/XP
Ensure Windows vulnerable ports are blocked
at the firewall.
•
•
•
•
•
NetBIOS Browsing Request [UDP 137]
NetBIOS Browsing Response [UDP 138]
NetBIOS Communications [TCP 135]
CIFS [TCP 139, 445 UDP 445]
Port 445 Windows 2000 only
Auditing
• Turn it on and configure it!
• Use the ‘User Manager’ utility (NT) or the
‘Security Settings’ applet (W2K) to ensure
the Audit Policy has been configured
• Check the Event Viewer frequently
• Use NTLast (Foundstone)
URL: http://www.foundstone.com/
• Or ELM (TNT Software)
URL: http://www.tntsoftware.com/
Operating System Patching
• Operating Systems do contain bugs, and
patches are a common method of
distributing these fixes.
• A patch or hot fix usually contains a fix for
one discovered bug.
• Service packs contain multiple patches or
hotfixes. There are well over 200 hotfixes in
the soon to be released SP4 for Windows
2000.
Operating System Patching…
• Only install patches after you have tested
them in a development environment.
• Only install patches obtained direct from the
vendor.
• Install security patches as soon as possible
after released.
• Install feature patches as and when needed.
• Automate patch collection and installation as
much as possible (QChain).
Operating System Patching…
Use automated patching technology:
• SUS – Microsoft Software Update Service
• SMS – Microsoft Systems Management
Server
• Ghost – Symantec imaging software.
And other application deployment software:
• Lights out Distribution
• Deferred installation
Baseline Security Analyzer
• Freely available from Microsoft
• Written by Shavlik Technologies as a direct
result of Code Red attacks
• A GUI to HFNetChk (v3.81)
• Improved feature set
• Integrated SUS functionality
Baseline Security Analyzer…
MBSA v1.1 supports the following host OS:
• Windows 2000 Professional / Server
• Windows XP Home / Professional
• Windows .NET not officially supported
• Windows NT not supported as host OS
• Remote scanning available
Baseline Security Analyzer…
What applications does MBSA scan?
• Operating system
• Internet Explorer > 5.01
• Microsoft Office 2000 and 2002
• Media Player > 6.4
• Internet Information Services 4.0 and 5.0
• SQL Server 7.0 and 2000
• Exchange Server 5.5 and 2000
Baseline Security Analyzer…
• MBSA will replace HFNetChk
• /hf flag introduced into the CLI
• mbsacli.exe /hf <hfnetchk switches>
New features:
• Security best practices
• Strong Passwords
• Security Mis-configurations
• Application configurations
Incident Response
What is an Incident?
“Any real or suspected adverse event in
relation to the security of computer systems
or computer networks.”
Or
“The act of violating an explicit or implied
security policy”
Incident Response…
•
•
•
•
•
•
•
Don’t Panic!
Unplug the network
Get a notebook
Back-up the system and keep the Back-ups
Restrict use of email
Look for information
Investigate the cause
• Request help and assistance.
Incident Response…
• Important to return to service swiftly
– Do not jeopardize security
– If in doubt, re-build
– Perform forensics on a backup
• Keep documentation and evidence
• Contact RSC or CERT if investigation proves
non worm/script kiddie activity.
Useful Books, Tools and URLs
• Fport - Foundstone Software
http://www.foundstone.com/knowledge/
• L0pht Crack - @Stake
http://www.atstake.com/research/lc/
• Snort – Open Source
http://snort.sourcefire.com/
• Nmap – Insecure.org
http://www.insecure.org/nmap/
• Nessus – Renaud Deraison
http://www.nessus.org/
Useful Books, Tools and URLs
• Securing Windows NT/2000 Servers for the
Internet. (Stefan Norberg.)
• Incident Response. (Kenneth R. van Wyk,
Richard Forno.)
• Hacking Exposed: Network Security Secrets
& Solutions. (Stuart McClure et al)
• Hacking Exposed Windows 2000: Network
Security Secrets and Solutions. (Scambray.)
Useful Books, Tools and URLs
• Microsoft Security Website
http://www.microsoft.com/security/
• Computer Security Incident Response Team
http://www.cert.org/csirts/csirt_faq.html
• JANET CERT
http://www.ja.net/cert/
• Bugtraq Mailing List
http://online.securityfocus.com/
Questions and Answers