Transcript Securing Windows Networking

Securing Windows Networking
Risk Analysis & Access Control
Topics
• Risk Analysis
– Mapping Your Network Services
– Understanding Your Traffic
– Controlling Network Access
• Access Control
– Restricting Physical Access
– Account Management
• Questions
Risk Analysis
• Mapping Your Network Services
– Logical Diagram
•
•
•
•
•
•
IP addresses of all devices
Physical Location
Networks/Masks
Identify Ingress/Egress points
Identify Critical Services
Living Document
Risk Analysis
• Mapping Your Network Services (cont.)
– Services List
• All services, by subnetwork
• All services that cross subnetwork boundaries
– What does it look like now?
• Request NERDC scanning service to provide an
external view
• Use port scanner to provide internal view
Risk Analysis
• Understanding your traffic
– NBTstat
– Netstat
– SMS Network Monitor
• Collect traffic sample from each subnetwork
• Determine protocol distribution (IP, IPX, ARP,
BPDUs, etc.)
• Note IP addresses, services
• Reevaluate periodically
Risk Analysis
• Controlling Network Access
– Convert shared media to switched
– Separate servers from workstations by placing
them in different subnetworks
– Restrict management access of network
hardware to trusted network or addresses
Risk Analysis
• Controlling Network Access (cont.)
– Disable IP source-routing on routers
– Make sure RIP routing is disabled on systems
with RRAS
– Use TCP/IP Advanced Security
Risk Analysis
• Controlling Network Access (cont.)
– Use router access lists to filter outbound traffic
from each subnetwork, at a minimum:
• NetBus (t-12345/12346), Back Orifice (u-31337),
NetBus Pro (t-20034)
• ICMP types 9 & 10 (IRDP)
• Proper Source Addresses
Risk Analysis
• Controlling Network Access (cont.)
– Use router access lists to filter inbound traffic at
the peering point, at a minimum:
• No packets sourced with internal addresses
• NetBus (t-12345/12346), Back Orifice (u-31337),
NetBus Pro (t-20034)
• ICMP types 9 & 10 (IRDP)
• ICMP to any internal broadcast addresses
• SNMP, if appropriate
Questions?
Access Control
• Controlling Physical Access
– Critical Systems
•
•
•
•
•
•
Secure behind a locked door
Lockable cases
Backup power
Backup solution w/central storage
Use BIOS passwords
Disable floppy boot
Access Control
• Controlling Physical Access (cont.)
– Critical Systems (cont.)
• Use password protected screensaver whenever
unattended
• Secure network connection
– NT caches credentials of last 10 users
– MAC address locking
• No uncontrolled modems
Access Control
• Account Management
– Use Strong Passwords
• Password Filtering - PASSFILT.DLL
–
–
–
–
minimum length
character class restrictions
no name or full name
policy customizable
– Avoid Clear-Text Passwords
• Use Only Windows NT as a client
Access Control
• Account Management
– Define Strong Account Policy
•
•
•
•
•
•
Maximum Age - 180 days or less
Minimum Age - 5 days or more
Minimum Length - 6 characters or more
Uniqueness - Last 36, or (Age-max/Age-min)
Account Lockout - 5 bad attempts within 30 min
Lockout Period - 30 minutes or more
Access Control
• Account Management (cont.)
– Define Strong Account Policy (cont.)
• User must logon to change password
• Use logon hours
• Forcibly disconnect users, if appropriate
– Restrict User Rights
• Access this computer from network
• Log on locally - admin only
• Manage auditing and security log - admin only
Access Control
• Account Management (cont.)
– Restrict User Rights (cont.)
•
•
•
•
Take ownership of files/objects - admin only
Change system time - admin only if possible
Force shutdown from remote system
Shutdown locally, what’s appropriate?
Access Control
• Account Management (cont.)
– Special Accounts
•
•
•
•
•
Administrator - Change name
Create dummy administrator account, monitor
Guest Account - Disable
Use dedicated service accounts
Monitor unusual behavior in IUSR_ accounts
Access Control
• Account Management (cont.)
– Winlogon Considerations
• Use logon banners which state at a minimum:
– Logon is restricted to authorized users only
– All subsequent actions are subject to audit
– Edit HKLM\SOFTWARE\Microsoft\WindowsNT
\CurrentVersion\Winlogon Registry Keys with notice
• Hide the username of the last user
– DontDisplayLastUserName (REG_SZ, 1)
• Use roaming profiles
Questions?