Transcript with security

SEC313
Securing Enterprise Platforms And
Perimeters
AKA – Building a Perimeter Platform and
Infrastructure (with security)
Ben Smith
Senior Security Strategist
Microsoft Corporation
Agenda
Understanding the Goals of Network
Perimeter Security
Defining the Basic Rules of Engagement
for Security
Building a Perimeter Platform for
Security using Microsoft technologies
Application Security
Host Security
Closing Notes
Understanding the Goals
Security goal #1:
Keep information away from the attacker
Security goal #2
Allow the right users access to the right information
Security goal #3
Keep a record of #1 and #2
Security goal #4
Make sure that security is user/administrator friendly
Security goal #5
Don’t let goals previous goals cost too much
It can be done!
and it can be done without a firewall!
Open Hack 4 - eWeek Magazine's annual contest
This year—
Application-level security focus
Goal: modify information in database
82,500 attempted attacks over 2 ½ weeks
Microsoft entry wasn’t compromised
Lesson learned: Reasonably skilled
administrators and developers can build
Windows environments that are secure and
resilient against attack
10 Basic Rules of Perimeter Security
1.
2.
3.
4.
5.
6.
7.
Minimize the attack surface
Least Privilege (deny by default)
Defense-in-Depth
Compartmentalization
Carry a big stick (You have to tell people NO!)
Understand what your perimeter really is!
Know you cannot defend against other
Administrators or poor physical security
8. Assess your security (the attacker will be!)
9. If you are not up-to-date, you are not secure
10. Avoid Assumptions
Application Security
Ben’s rule of perimeter application security:
If the application has security holes, the best you
can hope for is to slow the hackers down or limit
the damage the attacker can do
You must work with your developers!
Key Components
Input Validation, Input Validation, Input
Validation
Authentication
Impersonation/Delegation
Data Security
Coding Practices
Code Review
Penetration Testing
case study
Lessons Learned:
Input Validation
For every application in/on the
perimeter you must answer:
1. What data is being access or stored locally
2. What data is being transmitted
3. Define how the application communicates to
computers
4. How is authentication handled
5. What security measures the application is
providing
6. What services the application depends on
7. How the application will be managed
8. Who will be managing the application
9. How can operations be audited
10. What the potential threats and vulnerabilities of the
application are
Infrastructure/Host Security
Perimeter Architecture Examples
Baseline security
TCP/IP Security
Software Restriction Policies
IIS 6.0
IPSec
Management Networks
Perimeter Architecture
Small environment
Web Server
Active Directory
Internet
Test Web
Server
ISA Server
with inbound
VPN
Traffic Allowed in:
Web - TCP 80/443 via web
publishing
DNS - TCP/UDP 53
PPTP - IP 47, UDP 1723 to the ISA
Server
LAN Clients
Traffic Allowed out:
DNS – TCP/UDP 53
Web/FTP using proxy services
Perimeter Architecture
Limited Access
Network
Large environment
Perimeter
Network
Web Servers/Server DMZ AD Forest
Farms
SQL
Database/Cluster
Internet
Active Directory
with IAS as
RADIUS Server
ISA
Server
Terminal
Server
ISA
Server
ISA
Server
Management
Network
RRAS Server
with IAS as
RADUS Proxy
Corporate
Network
Active Directory
Perimeter Security Challenges
Most security challenges related to the expansion from
small to large
Network-level complexity
More router ACLS
Complex firewall rules
More IPSec policies
More multi-connected boxes
People-level complexity
More administrators
Distributed data to secure
More patch management issues
Host-level complexity
More systems and application to monitor
Authentication issues to manage
Content propagation and management
2 Ways to Address The Complexity
Design the scalability of security from the start
Follow best practices for environments more complexity and with
higher security requirements
Create a security budget for expansion
Assess the security of your network from the outside
Think about compartmentalization!
Build reusable security components on the hosts
Baseline security policy
Security Templates
Server specific security policy
Security Templates, SRPs, Security Tools
Host-based IP security
TCP/IP Security, IPSec policies
Management security
VPN, Network Access Quarantine, RADIUS, Multifactor auth
Baseline Security
Starts and ends with credential management
There is no patch for weak passwords or weakly
managed passwords!
Tips:
1. Use multi-factor authentication when possible
2. Educate users and administrators on creating passwords
It is often easier for users to remember 20 to 30 than 8
character passwords
3. Enforce password complexity systematically
4. Don’t reuse passwords or share accounts
5. Avoid account lockout policies (aka the “increase your support
costs feature”)
Password Reuse Issue
Account:
BackupAccount1
Password:
VeryHardToGuessPassword
Attacker
Server 1
1. Server 1 gets hacked
2. Attacker extracts LSA
Secrets
3. Obtains password to
Service accounts
4. Attacked attempts to
use server1 password
on Server 1..ServerN
5. Hacks Server 2 and
Server 3
Account:
Administrator
Password:
VeryHardToGuessPassword
Server 2
Account:
MailServiceAccount1
Password:
VeryHardToGuessPassword
Server 3
Baseline Security Options
Start with the Windows Hardening Guides
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
Securing Windows 2000 Server
http://go.microsoft.com/fwlink/?LinkId=14837
Add settings for your requirements
Always test the settings in your
environment!
Highlights from the Baseline Guide
Configures Audit Policy
Removes LMPassword Hashes
Raises NTLM Compatibility
Restricts anonymous enumeration
Disables POSIX Subsystem
Further restricts Services
TCP/IP Security on the host
EnableICMPRedirect
Protects against bouncing ICMP packets to 3rd parties
 Set to 0

DisableIPSourceRouting
Prevents attacker from dictating the path of IP-based packets
 Set to 2

SynAttackProtect
Aggressively times out TCP connections
 Set to 1 in Windows Server 2003
 Set to 2 in Windows 2000 and Windows XP

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
case study
Lessons learned:
Denial of Service attack
on a major web site
demo
Customizing Security
Templates
Software Restriction Policies
Used to control applications running on a
computer
Hash Rule
Certificate Rule
Path Rule
Two modes:
• Disallowed – applications
specifically allowed not to run
• Unrestricted – applications
explicitly allowed to run
Internet Zone Rule
Software Restriction Policies
Control executable code:
.ADE
.ADP
.BAS
.BAT
.CHM
.CMD
.CPL
.CRT
.EXE
.HLP
.HTA
.INF
.INS
.ISP
.JS
.JSE
.LNK
.MDB
.MDE
.MSC
.MSI
.MSP
.MST
.PCD
.PIF
.REG
.SCR
.SCT
.SHS
.URL
.VB
.VBE
.VBS
.WSC
.WSF
.WSH
demo
Software Restriction
Policy
Configuring IIS Security
IIS 5.0
Run IIS Lockdown
Configure URLScan
IIS 6.0
Installed in lockdown mode by default
Do not install what you do not need!
Configure URLScan Verbs
demo
IIS Lockdown
URLScan
Using IPSec for Additional HostBased Security
Three usage scenarios:
Block network traffic
Provide authentication and integrity
validation
Provide secure, encrypted communication
channels
IPSec Example
TS Host
IPSec Policy on TS Host
 Require Security
 ANY <> TS Port 3389
 TS Port ANY <> SQL Port 3389
 TS Port ANY <> WS Port 3389
 Block
 Any <> Any
Internet
Firewall
IPSec Policy on Web Server
 Permit
 Any -> WS Port TCP 80
 Any -> WS Port TCP 443
 Require Security
 WS Port 1433 <> SQL Port 1433
 WS Port 3389 <> TS Port ANY
 Block
 Any <> Any
Web Server
SQL Server
IPSec Policy on SQL Server
 Require Security
 SQL Port 1433 <> WS Port
1433
 SQL Port 3389 <> TS Port ANY
 Block
 Any <> Any
Default Exempt Rules in IPSec
Stored in the registry value:
HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
NoDefaultExempt
values
0
1
2
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
RSVP
IKE
Kerberos
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
X
3
IKE
X
demo
IPSec
Managing the Perimeter
Internet
Firewall
Firewall
Admin
Laptop
RRAS Server
with IAS as
RADUS Proxy
Terminal Server
Host
Active Directory
with IAS as
RADIUS Server
Terminal Server Tips
Use a TS Host in the perimeter to hop between
other systems
Harden TS Host and use SRPs
Use IPSec for
Authentication
Transport Security
Host-based firewall
Do not rely on built in Terminal Server security
No authentication
Limited control over key exchange/key material
What did we not talk about?
Topics for future study
Physical security
Patch management
Political issues
Content management and propagation
Monitoring and auditing
Application security
Closing Thoughts…
Securing applications in the perimeter is
not easy for networks with high
complexity
Think about building reusable security
components
Plan for security scalability
Build security in from the start
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Available
Microsoft® Windows® Security
Resource Kit
Today
Writing Secure Code 2
Today
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Ask The Experts
Get Your Questions Answered
Talk with experts about how technology
can enable your organization
I will be at the Security booth tomorrow:
15:00 to 18:00
Or earlier/later by request
Lattes are happily accepted ;)
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including
Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
appendix
MSA Firewall Router and Switch Config
http://www.microsoft.com/solutions/msa/default.asp
ISA Feature Pack
http://www.microsoft.com/isaserver/featurepack1/ov
erview/default.asp
Microsoft Solution for Security
http://www.microsoft.com/technet/security/prodtech
/windows/secwin2k/default.asp (2000)
http://go.microsoft.com/fwlink/?LinkId=14845 (2003)
Software Restriction Policy
http://www.microsoft.com/windows2000/technologie
s/security/redir-wnetsafer.asp
appendix
IPSec
http://www.microsoft.com/windows2000/technologies/communi
cations/ipsec/default.asp
http://www.microsoft.com/windows2000/techinfo/planning/secu
rity/ipsecsteps.asp
http://www.microsoft.com/technet/prodtechnol/windowsserver2
003/proddocs/server/sag_IPSECbestpract.asp
http://support.microsoft.com/?id=813878
IIS Lockdown & URLScan 2.5
http://www.microsoft.com/technet/security/tools/tools/locktool.
asp
http://www.microsoft.com/technet/security/tools/tools/urlscan.a
sp
AppSec
http://www.microsoft.com/windows2000/techinfo/reskit/tools/ho
tfixes/appsec-o.asp
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.