Security – Consider the Risk
Download
Report
Transcript Security – Consider the Risk
Hardening Active Directory
Windows 2000/20003
Network Infrastructure
Presented by: James Placer
Senior Security Analyst , ISG
James Placer
Over 17 years of IT and Security experience.
Certifications: Cisco CCSP, CCDP, CCNP
Checkpoint CCSE, NSA InfoSec 4011,
Microsoft MCSE 2000 and is a contributing
author to two Cisco certification books.
Authored and contributed to numerous trade
magazine articles in the security field.
Agenda
Current State of Network Security
Security Policy Development
Security Application
Architecture and Security
Configuring AD
Hardening Servers and Clients
Questions
Cert Coordination Center
Statistics
Cert: Number of Incidents Per Year
1Q-2Q 2003
Year
2002
2001
2000
1999
0
20000
40000
60000
Number of Incidents
80000
100000
Threat Capabilities:
More Dangerous & Easier To Use
High
Back
Doors
Packet Forging/
Spoofing
Stealth Diagnostics
DDOS
Sweepers
Sniffers
Exploiting Known
Vulnerabilities
Technical
Knowledge
Required
Password
Cracking
Password
Guessing
1980
Sophistication
of Hacker
Tools
Disabling
Audits
Self Replicating
Code
Low
Internet
Worms
1990
2000
2002 FBI Security Survey
Results
92% of surveyed companies were
hacked in 2002
90% of surveyed companies have
firewalls in place
82% of the companies hacked
suffered financial losses totaling
over $464 million
70% of hacks are internal
Vulnerabilities to Network Attack
65+% Vulnerable
Internet
Dial-In
Exploitation
75% Vulnerable
(95+% Vulnerable Externally
with Secondary Exploitation)
Internal
Exploitation
100% Vulnerable
Security Policy
Development
70% of companies who reported that they were
hacked also stated that they lacked a current
security policy, and that the lack of a security
policy was the primary contributor.
W5
WHAT do you need to protect?
WHO needs access to it?
WHY do they need access?
From WHERE do they need access
to it?
WHEN do they need access?
State and Federal Statutes
affecting Security
•
•
•
•
•
•
•
Feingold / California Break Law
- Expect federal statute in eight months
Sarbanes Oxley Act
Gramm Leach Bliley Act
HIPAA
FDA 21CFR11
ISO 17999
Security is a
process not a
Product or a
Reaction!
Security Policy
Application
Appropriate
Architecture
Appropriate
Design and
Monitoring and
Accountability
Appropriate Change
Management
Appropriate Technology
Appropriate User Awareness
Training
Architecture Is
Fundamental to Security
Domain
Controllers
Authentication Servers
Web Servers
File and Print Servers
Bastion Hosts, IAS servers, etc
Ultimate Architecture
Goal
One
Service
One System
One Appropriately Secured
System
Practically speaking. May not
be possible
More Services lead to More
Vulnerabilities
Architecture Steps
Define
Physical Architecture
Define Server Roles
Define Server Services
Define Security Levels
Required
Define Physical Security
Guidelines
Determine Appropriate
Security Level
Windows Security
Windows
2003 / 2000 is
Common Criteria Certified
Extreme levels of security are
possible but compatibility and
performance will be degraded
Level of Hardening is a
business decision based or
business requirements.
Securing AD
Organizational
Unit Design
Organizational Unit
permissions
Inheritance
Server Security
Network Security
Windows Policy
Precedent
Define OU’s for all
Functional Server
Groups
Include Administration
and Infrastructure
Apply OU Policies
2003
ships with extensive
default OU policies.
Store on single Domain
Controller
Member Servers, Domain
Controllers, File Servers, print
Servers
Infrastructure, IIS, Bastion,
Etc
Secure User Groups
Create
appropriate User OU’s
Apply default templates if
appropriate
Create Custom templates as
needed
Review Microsoft “Threats
and Countermeasures
Guide” for appropriate
settings
Hardening Servers
Windows
2003 / 2000 is
Common Criteria Certified
Extreme levels of security are
possible but compatibility and
performance will be degraded
Level of Hardening is a
business decision based or
business requirements.
Hardening Servers Cont.
Configurations
beyond the
default hardening settings in
the MMC settings
May involve third party
products, ie IPS systems.
Determine what level of
service is acceptable.
Bastion Hosts
Externally
accessible
Servers, IE Web, DNS
High Attack Probability
Must be Tightly Controlled
Bastion Hosts cont.
DELETE,
not disable, any
extra services
Use DEPENDS from the resource kit to
determine dependencies
Should be one service to one server
Not published or integrated into AD, No
internal access ideally.
Bastion Hosts cont.
Rename
all accounts
Create dummy administrator account with no
rights for logging
USE EFS if possible
Use IP security and log.
Enable local logon only.
Lock down further as appropriate.
Scan for vulnerabilities regularly,
ie.Languard, Nessus, NMAP
Internal Server
Hardening
Security rests on 6 items
1.Secure the system
2. Secure the database
3. Securing the replication
4. Securing normal access methods
5. Securing the objects
6. Audit
Scan for changes. ie. Tripwire
Scan for vulnerabilities regularly,
ie.Languard, Nessus, NMAP, MCC
Internal Server
Hardening cont.
USE
EFS WHERE POSSIBLE
USE XCACLES and MCC Audit TO VERIFY
FILE PERMISSIONS AND RIGHTS
Use root forest controller as NTP server
Use Ipsec filtering
Tighten the system drive
Audit the critical operations such as
policy data and critical file access
Block access to ports that can be used
to access the AD if not required.
Internal Server
Hardening cont.
Install service packs and hotfixes
Remove OS2 and Posix registry values
Delete associated files
Enable DNS scavenging and do it
rigorously
Clean up anonymous registry access
Tighten the system drive
Use NTLM v2 only for authentication
Test and retest ( Tripwire for baseline,
languard, nmap, nessus, MBSA, MCC)
Client Hardening
Eliminate Win 9X from environment
Use NTFS / EFS exclusively on hard
drives
Use NTLM v2 authentication only.
Disable file and print sharing
Do not allow local administrative rights!
Pay attention to remote VPN
clients!
Scan network frequently
Use internal client IPS if available
Tools and References
NSA Server Security Guides
http://nsa2.www.conxion.com/win2k/
Microsoft
“Threats and Countermeasures Guide”
“Windows Server 2003 Security Guide”
“ Windows 2000 Common Criteria Guide”
Windows 2000 / 2003 resource kit
www.Nessus.org Vulnerability
Scanner
Tools and References
cont.
www.Languard.com
vulnerabiltiy and device scanner.
NMAP
Fport from Foundstone.com
Tripwire. File integrity checker.
Commercial but excellent product
Q&A
Contact Information:
Email: [email protected]
Phone: (616) 393 7250