Application - Microsoft Center
Download
Report
Transcript Application - Microsoft Center
Secure Infrastructure
Software Restriction Policies
Motivation
Remote Explorer, ILOVEYOU
“wake up call”
New kinds of viruses
Virus writers showing very high level of skill
Targeting specific MS applications
Began analyzing virus attacks
Everyone runs as admin
Running untrusted code
Social engineering
Supported Platforms
Windows XP and Windows Server
2003 only
All SKU’s (home, pro, server, on up)
Use in a domain
Use standalone
If mixed environment, W2K clients
ignore the policy
replacement for TermSrv appsec
Aimed at Corporate Users
The standard response
Virus Detection, Quarantine, Cleanup
AV vendors doing a good job here
Ease of deployment is improving
Improve reliability, performance of filter drivers
Virus Prevention
Stopping viruses “sight unseen”
Need to balance:
Usability
Security
Flexibility
The Larger Problem
“Unknown Code”
Malicious Code
Unauthorized applications
Viruses
Trojans
Games
Peer to peer applications
Software known to cause problems
Bottom Line: Total Cost of
Ownership is Increased
Software Restriction Policies
Requirements
A way to identify code as trusted
Flexible policy based approach
Integrates with Active Directory
Group Policy
Enforced by the operating system
and applications
SRP Basic Components
Default Security Level
Additional Rules
Policy Options
Discussed on following slides
Default Security Level
All programs are known
Policy lists approved applications
Default Level is Disallowed
More secure
All programs are not known in
advance
Policy blacklists software
Default Level is Unrestricted
Additional Rules
Exceptions to the Default Level
If the Default Security is…
Unrestricted, rules specify what cannot
run
Disallowed, rules specify what is
allowed
Two Steps
Identify Software
Specify Run, Don’t Run
Rule Types and Precedence
Rules evaluated in order
Each rule specifies security level
Hash rule
Certificate rule
Path rule
Zone rule
Does a match run or not run?
If no rule matches, use Default Level
Can use wildcards
Scenarios
Only run Microsoft Office
Only run signed, trusted VB Scripts
Only run trusted applications for
administrators
Don’t run prohibited applications
Lock down running of ActiveX
controls
These can be combined
Example Policy
Allow only Microsoft Office
Path Rule
Default Rule: Disallowed
and IE
Level
%Windir%\System32\cmd.exe
Disallowed
%Windir%
Unrestricted
%ProgramFiles%\Microsoft Office\Office
Unrestricted
%ProgramFiles%\Common Files\Microsoft
Shared\
Unrestricted
%ProgramFiles%\Common Files\System
Unrestricted
%ProgramFiles%\Internet Explorer\
Unrestricted
\\logonsrv\logonscripts$
Unrestricted
DEMO: SRP
Additional Network Security Improvements
Accounts with blank passwords can’t be
authenticated to over the network
Local Admin account is disabled
Smartcards for admin accounts
Strong security for privileged accounts
Personal Firewall
Defense-in-depth in a highly connected world
Application Security Model
Authentication
Users
Front End
Back End
----
----
Impersonation?
Delegation?
Authorization & Auditing
• Application context?
• User’s context?
Flexibility, Interoperability &
Completeness
Identity & Credentials
Let the system manage user accounts
Choose the strength you need
Password, Cert + Key, Physical token (via EAP), Smart Card
Authentication Protocols
Choose a protocol with features you need
SAM (local users), AD (domain/forest users), Unix KDC (realm users)
Kerberos, Passport, Digest, SSL/TLS, HTTP , S/MIME, XMDSIG,…
Authorization
Choose the model
Impersonation/Delegation or Protected Subsystem?
Choose administration format
ACLs or Roles
Credential Management Issues
Multiple credentials are a fact of life
Use strongest form possible
Credit Cards, Driver’s License, Passport
Passwords: down-level clients
X.509 certs: SSL client authentication
Smartcards: admin accounts
Maintain Windows SSO experience
Enable roaming
Windows Server 2003 Credential
Manager
Vision for secure SSO
Secure, roamable storage per user
Name & password (Windows or Passport accounts)
X.509 certs (smartcard or local store)
Associate credentials with application/server targets
Unlock credentials during user logon
Automatically use appropriate credentials
Built-in support
Applications (RDR, shell components)
AuthN packages (Kerberos, NTLM, SSL)
Cred Manager Components
“Keyring”
Common
Credential
Collection UI
(Credui)
Apps call Credui to “harvest” credentials
Users can choose to save or not
Common UI supports:
Credential
Manager
(Credman)
Manual UI
User configures credentials for
non Credman-aware applications
Name & password
Smart cards
Secure storage of credentials
Associated with a “target”
Accessible only within LSA
(by auth packages)
Credential Manager Usage
1. User logs on at machine bobws
as bobws\bob
\\bobws
2. User uses credman aware application or API
(i.e. WNetAddConnection ) to access \\bigsrv\share
foo.com
3. Application calls to auth package to authenticate to
to \\bigsrv
4. Auth package queries credman for a credential to use when
accessing \\bigsrv and doesn’t find one
5. Auth package communicates information about the target to
credman
Application
6. Auth package tries to authenticate using default creds
(bobws\bob) and fails
dev.foo.com
7. Failure is communicated to application which calls credui which
checks for any saved creds, and target information.
8. User enters appropriate creds and chooses to save.
Credui
LSA
Credman
Auth Pkg
Target Information
DNS tree name:
DNS domain name:
DNS machine name:
NetBIOS domain name:
NetBIOS machine name
[email protected]
!2343Dsdfgd
foo.com
dev.foo.com
[email protected]
dev
: dev\bigsrv
9. Creds passed to credman and application uses
them to authenticate to \\bigsrv\share and succeeds
\\bigsrv\share
Application Authentication
Session based applications
Client-server connection for user session
Connection (or packet) oriented protocol
E.g., File system, SQL Server™,
Active Directory
Kerberos, NTLM, SSL/TLS, Digest
Message based applications
No persistent client-server connection
E.g., SMTP, MSMQ, Transaction processing, Batch
jobs
Signed-messages
S/MIME, PKCS7, XMLDSIG
Application Design Goals
Gaps in platform support
Store/Forward with Impersonation
No logon session per message received
Web app with Delegation
Only Kerberos provides delegation
Not all browsers support Kerberos
Multi-tier app with Delegation
Kerberos delegation has no constraints
Service can do anything as user with Forwarded
TGT
What’s the Problem with W2K
Delegation?
Web app with Delegation
Only Kerberos provides delegation
Not all browsers support Kerberos
Multi-tier app with Delegation
Kerberos delegation has no constraints
Service can do anything as user with Forwarded
TGT
Windows Server 2003 Solution:
Kerberos Constrained Delegation and
Protocol Transition (S4U)
Protocol Transition
Kerberos S4U2self extension
Authentication flow
Service: authenticates via Kerberos
User: authenticates to service (however)
Service: S4U2self TGS-REQ
Gets ticket to itself with user’s authorization data
API for S4U2self
LsaLogonUser(user_UPN)
No Password needed
Impersonation token
Identification token
Windows Server 2003 Authentication
Trust
KDC
Ticket
Verify Policy:
Allowed-To-Delegate-To
Passport
Users
Basic
Digest
SSL
Ticket
Signed Messages, S/MIME/SMTP
XMLDSIG/HTTP
Kerberos
Cert
Front End
Application
Back End
Application
Secure Network Access
Infrastructure
Network Access Evolution
DHCP
RADIUS
Static IP (servers)
Dynamic IP
DHCP Options
Corpnet
VPN
802.11 Secured Building
How can we protect
against eavesdropping?
WEP
How do we do
secure authentication
and improve keying?
802.1x
Internet
How should security apply
to wired connections?
Network Identity and Trust
User Trust
Machine Trust
What constitutes user identity?
• Username, password,
token card, certificate,
group membership, all?
If I trust the person,
do I trust the machine?
What constitutes machine identity?
• Token, OS, connection,
domain membership,
system configuration?
If I trust the machine,
do I trust the user?
Authentication models need to be rich
Integrating IT and Network Service
Access
Plug-in authentication
model, Kerberos & PKI
End-to-end, link neutral
encryption as
appropriate
Directory System
Authenticate to
Directory
Requirement:
Interoperable Standards
& Open Systems
Network
Access
Control
Secure
channel
Content/service
Link specific
encryption as appropriate
Access
Point
Extensible
strong authentication
protocol
Client
Integrated network
connectivity w/ network
& services single sign-on
integration & plug-in
authentication model
Microsoft Secure Network Access
Infrastructure
®
Directory System
Interoperable Standards
& Open Systems
Active Directory,
Microsoft CA
Windows Internet
Authentication Service
ADSI with
LSA login
IPSec Transport Mode
Network
Access
Control
Content/service
Link encryption:
PPTP, L2TP/IPSec, WEP
Access
Point
Extensible Authentication
Protocol w/ Transport Layer
Security services
(EAP-TLS & PEAP)
RADIUS
Any interoperable
standards-based access
point or Windows RRAS
Windows 2000,
Windows XP
Client
Internet Authentication Service
Remote Authentication Dial-In User Service (RADIUS)
Authentication, authorization and accounting service for
network access
Central access policy and accounting management
Extensible authorization model
Authenticated and encrypted UDP channel
Shared key authentication
“Client”-to-server (gateway to server) session
End-to-end authentication PC to RADIUS server
Proxy (gateway to proxy… to server)
RADIUS
Client
Authorization
Authentication
RADIUS Proxies
RADIUS Server
Internet Authentication Service
Secure Wireless Deployment
Barriers
to Effective 802.11 Security
Management
Access control (who get on the network)
Static keys are vulnerable to theft
Management of static WEP keys
Static keys make WEP vulnerable
Windows
802.1x – Bind EAP to 802.11
2003 and XP Solution
Authentication and key generation
Add 802.1x authentication to IAS
Wireless connection type, OID checking…
Internet Authentication Service
XML – SQL Logging
RADIUS Events
Via XML-SQL
SQL Consolidation
Wireless Access Points
IAS Servers
SQL Servers
Event Main (index)
Event Data (records)
High-scale Query Capable Logging
•
•
•
•
Discover hackers vs. password failure
Identify session behavior
Identify deployment blockers/issues
Customizable reports
Wireless LAN Deployment
A case study
Infrastructure Considerations
Access Point (AP) Placement
Decrease cell size (10m radius)
Increase cell density
Overlapping cells via channel configuration
Allow for fewer clients per AP
Forcing 5.5-11Mbps only
Mitigate possible Bluetooth interference
Create a migration path to 802.11a
Low Voltage Wiring or In-line Power
Use to enable remote cold booting of APs from a
central or remote location
AP Load Balancing
Client Considerations
Easy client setup – Plug and Play
Seamless client roaming within a building
Single wireless subnet in each building
Reduce collision domain
Restricts Netbios access to that building segment
Enhances security
Unique Enterprise Broadcast SSID
Enhanced usability with Windows® XP Zero
Configuration Wireless Client
Automatically Obtain a New DHCP Address When
Changing Subnets
Windows 2000 and Windows XP clients
Client and Helpdesk Troubleshooting Tools
AP Monitor in Windows XP
Security Considerations
MAC Address Filtering
Not Scalable
MAC Address exception list must be maintained and
propagated to all APs
Client could neglect to report a lost card
Client could change the MAC address
Wired Equivalent Privacy (WEP)
40 bit supported per 802.11b standard
128bit is proprietary
WEP keys are not dynamically changed
Unique key is required across the enterprise
Difficult to change or administer
Vulnerable to attack
128 bit WEP can be hacked within 2 hours using PCbased tools and 802.11b adapter
Security Enhancements
802.1X Solution
Client Network Access (link layer) Controlled by Access Point
Based on Machine and/or Domain User Account Authentication
Authentication Process Secured via Standard Public Key
Infrastructure (PKI) Protocols
Client Machines and Users Negotiate Authentication Against
Internet Authentication Server (IAS)
Extensible Authentication Protocol over LAN (EAPoL)
Transport Layer Security (TLS)
Public/private keys/ X.509 Certificates
Uses two-factor authentication
Available in Microsoft® Windows XP
IAS proxies authentication requests to Active Directory and
Certificate Authority (CRL)
IAS is Microsoft’s RADIUS server product
Dynamic WEP for Each Client Session
Changed with each new connection session, roaming, or within a
preset time interval
Enhanced Security
802.1X Solution
P
EA
Domain User/
Machine
Certificate
ec
nn
o
C
n
tio
Server
Certificate
Wireless LAN
Technical Lessons Learned
Plan for Certificates Issues
Monitor Active Directory
Inconsistent across domains and platforms
Recognize Dependencies
Is overloaded, 802.1X is affected
Effects both .Net Server and Windows 2000 SP2
Monitor Client DHCP response timeouts
Required to build a secured web-based tool to validate and/or obtain
machine/user certificates until Active Directory infrastructure becomes
.NET native then support certificate auto-enrollment
Avoid issues with Certificate Revocation List (CRL) expiration
RADIUS Server failover support in Access Points
Caused clients to fail authentication and lose connectivity
Plan for Authentication Mechanisms that Stress the Infrastructure
Unlike Any Other Service Previously Deployed
Re-authentication required when roaming and at timeout
Cross-forest and multi-domain authentication required
DEMO: Wireless Authentication
Wireless LAN & 802.1x
Reference Information
Microsoft Corporation
Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet
Authentication Service
802.1x (TechNet)
Wireless Network Security within 802.1x
Set up 802.1x Authentication on Windows XP Client
http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp
http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asp
Wireless LAN Association
http://www.wlana.org
IEEE 802.11 & 802.1x
http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp
http://www.microsoft.com/TechNet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp
802.1x Authentication
http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp
http://www.ieee.org
OSHA Health and Safety
http://www.osha-slc.gov/SLTC/radiofrequencyradiation
Questions ?