Kimberry - Microsoft

Download Report

Transcript Kimberry - Microsoft

Building End-to-End
Infrastructure Security
Windows XP, Vista, Server 2003
and Active Directory
John Craddock
Principal Systems Consultant
[email protected]
[email protected]
Sally Storey
Senior Consultant
[email protected]
Kimberry
_______
Associates
2
Sponsored by
_______
Kimberry
Associates
www.kimberry.co.uk
3
Seminar Topics
•
•
•
•
Is your IT infrastructure secure?
Securing your network
Implementing server security
Vista technologies
Troubleshooting
tips
_______
Kimberry
Associates
www.kimberry.co.uk
4
Demo Environment
Unmanged
May be a
partner,
contractor
or hacker
unmanaged
hacker
Sellers
sellers.example.net
10.30.5.100
app1
client1
dc
10.30.5.1
10.30.5.10
vista1
client2
10.30.5.200
10.30.5.20
10.30.5.100
app2
10.30.5.2
• Demo environment hosted in Microsoft Virtual
Server 2005 R2
– Multiple servers and clients
• The demos have been built from our
real-world experience
_______
Kimberry
Associates
www.kimberry.co.uk
5
Demo Systems
•
•
•
•
•
•
•
•
Dell Optiplex GX620
Intel Pentium 4 (EM64T)
4 GB memory
Windows Server 2003 Enterprise x64 Edition
Microsoft Virtual Server 2005
Lots of virtual images
Web administration of servers
Remote access via vmrc
_______
Kimberry
Associates
www.kimberry.co.uk
6
Acknowledgement
• Graham Calladine
Microsoft Security Specialist
• Thanks for all your help with some nitty
gritty bits!
_______
Kimberry
Associates
www.kimberry.co.uk
7
Legal Stuff
Every effort has been made to make this seminar as complete
and as accurate as possible but no warranty or fitness is implied.
The presenters, authors, publisher, sponsors and distributors
assume no responsibility for errors or omissions, or for damages
resulting from the use of the information contained herein.
Names identifying the directory and associated objects are fictitious
and are not intended to represent any organizations or people.
All trademarks are acknowledged and are the property of their
respective owners
© All materials are copyright Kimberry Associates
BGInfo used by courtesy of sysinternals.com
_______
Kimberry
Associates
www.kimberry.co.uk
8
Keep your job…
Security Testing
Before conducting any type of security testing or evaluation, get
executive level approval. Failure to obtain the necessary approval
might result in you committing a computer crime.
Applying security technologies may result in loss of confidential,
integrity or availability of corporate assets.
You must rigorously test and evaluate before deploying into
production. Perform a staged rollout, testing at every phase.
_______
Kimberry
Associates
www.kimberry.co.uk
9
Concerned?
• Some of the things we show may worry
you
– But they can be mitigated
If you know the enemy and know yourself, you need not
fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also
suffer a defeat. If you know neither the enemy nor
yourself, you will succumb in every battle.
_______
Kimberry
Associates
www.kimberry.co.uk
The Art of War
by Sun Tzu BC 544-496
10
A Expanding Environment
_______
Kimberry
Associates
www.kimberry.co.uk
11
Your Answer
• If you answer Yes, you might start
explaining all the great security features
you have deployed
– Strong passwords
– Two factor authentication
– Firewalls
– File encryption and so much more…
_______
Kimberry
Associates
www.kimberry.co.uk
12
So Many Unanswered Questions?
• But what have you secured?
– Against what?
• Answering “we could be attacked” is not acceptable
•
•
•
•
How do you know it’s secure?
How do you know it will remain secure?
How will you accommodate changes?
How much effort have you wasted applying
inappropriate security features?
• How can you show you have
It’s good you’re
done due diligence?
thinking
security
_______
Kimberry
Associates
www.kimberry.co.uk
13
A Security Process is a Must
Security Risk
Management
Process
Identifies threats,
risks and mitigations
_______
Kimberry
Associates
www.kimberry.co.uk
Security Policy
Statement of what you
must do to
secure the environment
Document Processes
and
Procedures
What you say
you do and
how you do it
Operations
What you
really do
General section on how IT users should behave (ethics/acceptable use) available to all users
Detailed sections defining policies for each infrastructure component/subsystem
• Business logic
• Wireless Communication
• Anti-Virus/Malware
• Workstation Security
• E-mail Policy
• Server Security
• VPN Access
• Password Protection
14
The Correct Starting Point
Financial loss
Punitive measures due to
breach of compliance with
legal responsibilities
Loss of credibility
(reputation)
• Is your business secure from attacks
(malicious or unintentional) that may
result in losses to the business?
– You can only provide an informed answer if
your organization has implemented a Security
Risk Management Process (SRMP)
_______
Kimberry
Associates
www.kimberry.co.uk
15
Secure?
• The SRMP will help you identify what
you need to secure against
• You cannot secure everything
immediately
– The SRMP will identify your highest risks
and allow you to focus your attention and
resources
_______
Kimberry
Associates
www.kimberry.co.uk
16
What You Need to Secure
• Business assets
– Anything of value to the organization
– May be physical or abstract
•
•
•
•
•
_______
Kimberry
Associates
www.kimberry.co.uk
Hardware including IT infrastructure
Software
People
Business processes and procedures
Data
17
Against What?
• Threat
– Potential cause of an negative impact to the
business
• Loss of Confidentiality, Integrity, or Availability (CIA)
• Attack vectors
– Paths through which the threat can be realized
• Requires one or more vulnerability
• Vulnerability
– A weakness that makes an asset susceptible to an
exploit by a threat
_______
Kimberry
Associates
www.kimberry.co.uk
18
Threat Statement
•
How could that happen?
The threat statement should be
defined in terms of what may
happen rather than how it may
happen
– Triggers thought process
“Loss of confidentiality to sales data due to sales agent’s
credentials being stolen”
Vulnerabilities
Current mitigation
Required for review
Theft via social engineering
None
Theft via social Engineering
Theft via telepathy
Unknown at this time
-
Theft via keyboard logger
None
Theft via keyboard logger
Theft via unlocked workstation
Locking screen savers
-
Theft via network sniffers
Kerberos + strong passwords
-
_______
Kimberry
Associates
www.kimberry.co.uk
19
SRMP Steps
Identify:
Assets
Threats to assets
Vulnerabilities
Risks
Prioritize and manage risks
Compliance testing
The process continues throughout
the life of the organization
_______
Kimberry
Associates
www.kimberry.co.uk
• The process must be
fully documented
– It should clearly show the
threats, vulnerabilities
and risks that you have
identified and how you
have managed them
• It shows you have done
due diligence
20
Threat Modelling
Decision drivers
Asset owner
Asset value
Asset owner
Exposure if threat is realized
Vulnerabilities
Probability of threat being exploited
Impact rating
RISK
Probability rating
Asset value
Historic data
• Clearly define the threat to an asset and calculate the
associated risk
– Qualitative risk assessment
• Numeric rating or high/medium/low
• Very subjective, you must be consistent in your classification
– Quantitative risk assessment
• Financial cost
_______
Kimberry
Associates
www.kimberry.co.uk
21
Summary Risk Statement
Asset
Class
rating
Threat
description
Vulnerability
description
Exposure
rating
Impact
rating
Probability
rating
• It is simplest to start with a qualitative
approach
– Can quickly identify the highest risks
• Analyze further to gain granularity in risk
rating
• Quantify the risks in financial terms
• For help planning your risk management,
download the Microsoft “Security Risk
Management Guide”
_______
Kimberry
Associates
www.kimberry.co.uk
Risk
rating
22
Keys to Success
• Set a realistic scope for the threat
modelling exercise
– Limit the initial work to your highest value
assets
– Limit the scope of the threats that you
consider
– Start with a qualitative assessment
• Mitigate the highest risks first
_______
Kimberry
Associates
www.kimberry.co.uk
23
Risk Management
Risk statement
Possible
mitigation?
No
Is it
mandatory?
Yes
Yes
Document options
Is it
mandatory?
Is it cost
effective?
No
No
Document actions
Update risk statement
Associates
www.kimberry.co.uk
Avoid or transfer
risk
No
Yes
Yes
Implement mitigation
_______
Kimberry
No
Can you
avoid or
transfer?
Yes
Can you
accept Risk?
No
Yes
24
It’s a Team Effort
• Dedicated and committed Security Risk
Management Team
• Requires 100% buy-in from
–
–
–
–
–
Executive sponsors
The business (asset) owners
The information security group
The information technology group
Other stake holders including
• Finance, HR and public relations
_______
Kimberry
Associates
www.kimberry.co.uk
25
You Need to Sell the Process
• Talk to an asset owner:
– “How much would it cost the company if the sales
agents could not work for a day”
• $200,000 per day
• How long would take your team to clean
malware off all the sales computers?
– 3 days
– Loss: 3 x $200,000 = $600,000
• How much would it cost to instigate a security
process that mitigated the risk?
– Estimated 6 weeks for team, cost $50,000
_______
Kimberry
Associates
www.kimberry.co.uk
26
Money Please….
Currently we don’t have an effective
security process. The chances of sales
computers being compromised is high.
While we recover the systems the
company will loose
$600,000
What’s
she
after?
Good
documentation
If we had a good security management in
process in place, the risks of being
compromise are low.
Initial project costs estimated at $50,000
Oh and if we lost confidentiality of
customers personal identity information
you could end up in prison!
• Good reference
– Assessing Network Security ISBN 0-7356-2033-4
_______
Kimberry
Associates
www.kimberry.co.uk
• See part 1 of the book
$600,000 vs
$50,000 and
of course it
could
happen
more than
once!
27
Reducing the Impact
• How can we reduce the impact of an
exploit that might be realized?
– Mitigate the risk as far as possible and
have response procedures to reduce the
impact
– Examples
• Restoring data from backup
• Changing credentials
_______
Kimberry
Associates
www.kimberry.co.uk
28
IT Infrastructure
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
_______
Kimberry
Associates
www.kimberry.co.uk
• Vulnerabilities can
be mitigated in
multiple layers
within the
infrastructure
– Defence-in-depth
– Mitigation in lower
layers may negate
the impact of a zeroday exploit
29
audio listeners
Attack Surface
camera
physical tampering
Firewire
shoulder surfers
Bluetooth
serial port
Direct port exploit
Exploit via application
email
Instant messaging
Web server
Web browser etc
usb
network
CDROM
keyboard
key logger
backup tapes
CVs/resumes
news groups social engineering
operational documents
• Threats to all entry points
– Many exploits are based on previously
collected information
– To exploit the system, code must be
_______ executed
Kimberry
Associates
www.kimberry.co.uk
30
The Biggest System Killer
Users
Malicious code runs in user mode
Exploit ends when user logs off
Can be set to restart at logon
Users logged on as administrators
Code can do anything!
• Typically, malicious code runs through
user
action
or
a
browser
exploit
_______
Kimberry
Associates
www.kimberry.co.uk
31
Least Privilege Please
• User privilege
– Exploit damage
limited
– Easier to detect
• Administrative
privilege
– Maximum damage
– Can disable firewall,
virus and malware
detection
– Cloak attacks
• Rootkits
_______
Kimberry
Associates
www.kimberry.co.uk
32
Administrator Logon
• Never logon to a computer with higher
privileges than you need for the task in
hand
• Never do a “Run As” on another user’s
desktop
• Monitor membership of critical
administrator groups
_______
Kimberry
Associates
www.kimberry.co.uk
33
Physical Access Must be Controlled
I’m now your local
administrator!!
Oh sorry I forgot, it’s
a DC. I now own
your forest 
_______
Kimberry
Associates
www.kimberry.co.uk
34
Well Intentioned Behaviour
• Secure your systems CIA for known and well
intentioned behaviour
–
–
–
–
Ensure users have appropriate privileges and passwords
Implement system/application access control
Restrict browser capabilities
Prevent unwanted code execution
• Requires Software Restriction Policies
– Install virus and malware detection/removal software
– Educate users against social engineering techniques and
shoulder surfers
– Mandate acceptable behaviour and penalties as part of your
security policy
• Users should sign a declaration that they have read and
understood the policy
_______
Kimberry
Associates
www.kimberry.co.uk
35
Malicious Behaviour
• Anything that receives input can have
potential vulnerabilities
– Applications, services listening at ports,
scripting hosts, rendering code…
• Malicious code can be crafted in many
ways
– Malformed input, network packets, script
code, graphic objects…
_______
Kimberry
Associates
www.kimberry.co.uk
36
Reducing the Attack Surface
• Only allow “managed” systems to communicate on your network
– IPsec
• Disable all unnecessary application and services
– Group policy lockdown
• Maximise lockdown on all systems based on OS and usage
requirements
• Keep your systems and applications fully patched
– Patch management
• Use a host based firewall to block unnecessary ports
– Deploy via group policy
• Minimise the number of administrators
– Monitor key administrative groups
• Provide a reporting mechanism for users that observe unusual
system behaviour
_______
Kimberry
Associates
www.kimberry.co.uk
37
System/Application Vulnerabilities
• Microsoft Security Response Center
vulnerability definition
– “A security vulnerability is a flaw in a product that
makes it infeasible – even when using the product
properly - to prevent an attacker from usurping
privileges on the user's system, regulating its
operation, compromising data on it, or assuming
ungranted trust”
• Maximum damage
– If exploited application or service is running with
administrator/system privileges
_______
Kimberry
Associates
www.kimberry.co.uk
38
Do You Trust That Application?
• There is a potential risk from software where
developers do not implement a Security
Development Lifecycle (SDL) process
• The SDL process shows that the developers
have done due-diligence in minimising
vulnerabilities and risks
• See “The Security Development Lifecycle”
– MSPress: ISBN 0-7356-2214-0
_______
Kimberry
Associates
www.kimberry.co.uk
Patching is essential…
40
Patch Management
• The key phases:
– Monitoring for security bulletins and
updates
– Determining the risk level
– Testing an update
– Deploying an update
– Checking for a successful deployment
_______
Kimberry
Associates
www.kimberry.co.uk
41
Testing is Essential
• KB918165
– You may experience problems in Windows
Explorer or in the Windows shell after you
install security update MS06-015
• Testing and phased deployment
– Step 1: Deploy updates in test environment
– Step 2: Limited deployment to department/site
– Step 3: Deploy to enterprise
_______
Kimberry
Associates
www.kimberry.co.uk
42
Microsoft – Three Solutions
• Microsoft Update (MU)
– Consumer / small business
• Windows Servers Update Services (WSUS)
– Business requiring simple low cost solution
• System Management Server SMS
– Flexible and advanced patch management
_______
Kimberry
Associates
www.kimberry.co.uk
43
WSUS – It’s Free!
WSUS
80
Requires access
to multiple URLs
Network traffic
SQL Store
Microsoft
Update
Downloads Metadata
Metadata includes details of the update and the
operating systems and applications to which it
applies
SQL Server 2000
SQL Server 2005
MSDE
SQL 2005 Express WSUS
Filters
Metadata downloads can be filtered based on:
Products: Microsoft operating systems and applications
Update classifications: Critical, security, drivers, etc
Languages: One or more supported languages
_______
Kimberry
Associates
www.kimberry.co.uk
44
WSUS Approvals
Metadata held in SQL Store
Security Update for Windows XXX (KB xxxx) Approval
You decide
Detect only: Clients can be identified that require this update – the update is not installed
Install: The update is installed on the client
Not approved: Neither of the above
Remove: The update will be removed from the client – Many updates do not support this option
Decline: The update is not required and removed from view
With the exception of decline the approval status can be applied against all computers
or a group of computers
_______
Kimberry
Associates
www.kimberry.co.uk
45
WSUS Groups
• WSUS groups define groups of
computers that can be targeted for
updates
• Membership is controlled by
– WSUS server administrator
– Group policy or registry settings
• Target updates to WSUS groups for
phased deployment
_______
Kimberry
Associates
www.kimberry.co.uk
46
Approved for Install
WSUS
80
Requires access
to multiple URLs
Network traffic HTTP
Microsoft
Update
Downloads updates approved for
install via HTTP (80) from MU
Client downloads and
installs the patch
_______
Kimberry
Associates
www.kimberry.co.uk
WSUS group
SQL stored
metadata defines:
Patches approved for
install to computers
in WSUS group
47
WSUS Clients
FileServers
FileServer
group policy
WSUS configuration includes:
• Specifying location of WSUS server
• WSUS target group name
• Automatic updates detection frequency
• Install options and schedule
• Reboot options
• OUs can be created to collect together
computers that have the same WSUS
requirements
– Your OU design must also match the
requirements of security settings that are applied
via group policy
_______
Kimberry
Associates
www.kimberry.co.uk
Closing the loop…
49
Security Assessment
Security health assessment and IT audit:
Compares each area against standards and best practices
Scores compliance and improves process
On going circular process
Security Risk
Management
Process
Identifies
threats,
risks and mitigations
_______
Kimberry
Associates
www.kimberry.co.uk
Security Policy
Statement of
what you
must do
Documented
processes and
procedures
What you say
you do and
how you do it
Operations
What you
really do
50
Assessment Tools
WSUS
Security
Configuration
Wizard
Security
Configuration &
Analysis
_______
Kimberry
Associates
www.kimberry.co.uk
Scripts
For high-value assets
consider PEN testing
51
Managing Compliance
Is system
compliant?
Yes
Document
Check
next system
No
No
owner
Notify
owner to
correct
Document
Non
compliance
corrected?
Yes
Grant
exemption
No
Exemption
allowed?
_______
Kimberry
Associates
www.kimberry.co.uk
No
Yes
Remove
from
network
So we can ask the question
again
53
Is your Infrastructure Secure?
• My infrastructure matches the requirements
of our security policy
– Balancing the need for security, user
requirements, and compliance
• How do you know you policies are correct?
– We regularly run our Risk Management Process
• How do you know your infrastructure matches
your policy?
– We perform regular assessments and audits
• What happens if you are exploited?
– We have a response plan
_______
Kimberry
Associates
www.kimberry.co.uk
54
It’s a Long and Winding Road
• You will never reach the end of the rainbow
but you must try
Think security
“It is a matter of life and death, a road either to safety
or to ruin. Hence it is a subject of inquiry which can
The Art of War
on no account be neglected”
by Sun Tzu BC 544-496
_______
Kimberry
Associates
www.kimberry.co.uk
Securing your network
56
TCP/IP Stack
May be listening for an inbound connection
request or creating an outbound connection
Services and
applications
Ports
UDP
Echo request/replies
and more…
TCP
ICMP
IP
Sends and responds to
IP to MAC address resolution requests
ARP
Network Interface
_______
Kimberry
Associates
www.kimberry.co.uk
57
Attack Surface
Listening services & applications:
Exploit through service/application vulnerability
Information disclosure
Backdoors/bots
UDP
Information Disclosure
TCP
ICMP
IP
Information Disclosure
Spoofing/Tampering
Packet integrity
Packet replay
Network Packet
_______
Kimberry
Associates
www.kimberry.co.uk
Information disclosure
ARP
Network Interface
Exploit stack
Denial of service
Malformed network traffic
58
Reducing the Attack Surface
Listening services & applications:
Disable all unnecessary services/applications
Keep patching up-to-date
UDP
TCP
ICMP
IP
Information Disclosure
Block all unnecessary
inbound traffic
Windows Firewall
ARP
Sign packet
Network Interface
Network Packet
_______
Kimberry
Associates
www.kimberry.co.uk
Encrypt data
Keep stack patching up-to-date
Harden stack
Malformed network traffic
59
Windows Firewall
Outbound traffic not affected
Dynamic port exceptions allowed
For approved applications/services
Exception last for the duration of
the application
ICMP
ICMP behaviour
can be configured
Exceptions based on traffic profile
Protocol: TCP/UDP
Port:
Source address:
Windows Firewall
If possible avoid defining exceptions
for programs/services that fan out
to multiple programs/services
Svchost, dllhost and inetinfo
Firewall log
Default blocks all inbound traffic
• Recommend configuration via group policy
– Consistent configuration
– More options available
• Command line configuration via netsh
_______
Kimberry
Associates
www.kimberry.co.uk
60
A Quick TCP/IP Primer
TCP the stack establishes connection
UDP:port
SYN
SYN + ACK
Connectionless
requires application/service listening
at specified port to respond
ACK
Data exchange
ICMP
Port open
Connectionless
requires ICMP on server to respond
SYN
SYN + RESET
Port closed
ARP
IP to MAC resolution
Not affected by Firewall
_______
Kimberry
Associates
www.kimberry.co.uk
Can detect host is on the network
even if the Firewall blocks everything
Used to detect open TCP Firewall ports
when applications and services are not
listening at a port
61
Network Scanners
• Network scanners vary in sophistication
– Scan for ICMP response and open ports
– Hosts with all ICMP and all ports blocked can be
detected via ARP scanning
– UDP scans require knowledge of what the port is
listening for
– TCP scans can detect open firewall ports and
open TCP ports
– Can retrieve host details from appropriate listening
services
• Provided you have the appropriate credential
_______
Kimberry
Associates
www.kimberry.co.uk
Many scanning tools require raw sockets for full
functionality - not supported natively on Windows XP!
62
Which Ports?
• Enable the Firewall and restrict the number of
ports to a minimum
– Rather than opening ports for an application, add
the application to the approved list
• Check documentation for ports that are
required
• Troubleshoot with firewall log, netsh and a
network sniffer
– SMS Network Monitor
• Netmon 3 soon to be released
– Wireshark (Ethereal)
_______
Kimberry
Associates
www.kimberry.co.uk
63
Dynamically Assigned Ports
RPC Locator service
135 Endpoint-mapper service
XXXX
Dynamically
allocates a port
• Enable the Windows Firewall setting
– Allow remote administration exception
• Do not enable unless required
• Does not always fix the problem
– May have to assign static ports to DCOM
_______ components
Kimberry
Associates
www.kimberry.co.uk
How can we isolate network
resource access to managed
computers?
65
Windows Firewalls?
Windows Firewall
DHCP
Managed
Managed
File sharing enabled
for subnet 10.20.0.0
10.20.0.0
Hacker
Visitor
File Server
• We need a way of restricting access to
managed (domain member) computers
– Managed by group policy and health
compliance management tools
_______
Kimberry
Associates
www.kimberry.co.uk
66
IPsec to the Rescue
UDP
• IPsec Driver
– Blocks, permits or
requires authentication
for all traffic that meets
a defined traffic profile
TCP
ICMP
IP
IPsec Driver
Traffic profile: <Protocol> <source IP> <destination IP> <source port> <destination port>
Individual IP
Subnet
All
_______
Kimberry
Associates
www.kimberry.co.uk
My Address
DNS server
WINS server
DHCP server
Default Gateway
67
IPsec Isolation
Domain Isolation
Server Isolation
Protects managed computers from unmanaged or
rogue computers and users
Protects specific high-valued servers and data
• IPsec policies can be configured to only allow
authenticated (managed) computers to
communicate on the network
– Side benefit
• Encourages users to join their computers to the domain
• For high-value assets network traffic can be
encrypted
_______
Kimberry
Associates
www.kimberry.co.uk
68
It Will Not Mitigate
$$$$
Your assets are
worth so much
more $$$$$$$
How
much
?
Physical tampering
Information disclosure
by trusted users
Untrusted computers compromising
other untrusted computers
_______
Kimberry
Associates
www.kimberry.co.uk
Excess privileges
Theft of credential
Non compliant
trusted systems
Defence-in-depth is required
69
Deployed Through Group Policy
Domain
controllers
AD
Untrusted
Managed
Managed
High asset
servers
Managed
X
Unmanaged systems
Vendor, partners and
some systems you
may not want!
_______
Kimberry
Associates
www.kimberry.co.uk
Managed
resource
servers
X
Server
isolation
Domain
isolation
Managed
70
Edge/Boundary Servers
Domain
controllers
AD
Managed
Infrastructure servers
• DHCP • Proxies
• WINS • VPN
• DNS
Managed
High asset
servers
Resource
servers
Server
isolation
Managed
resource
servers
Unmanaged systems
Vendor, partners and
some systems you
may not want!
_______
Kimberry
Associates
www.kimberry.co.uk
Domain
isolation
Managed
Defence-in-depth is required
71
No Hardware Upgrades Necessary
• IPsec allows you to create logical
networks of communicating systems
– It does not require any additional
infrastructure
• Caveat
– Encrypting traffic can add a substantial
amount of processor overhead
• Consider using hardware cryptographic
accelerators
_______
Kimberry
Associates
www.kimberry.co.uk
72
IPsec Primer
IKE
Create shared secret between hosts
IKE = Internet Key Exchange
IKE
Uses Diffie-Hellman
768/1024/2048 key
IKE
Authenticate over secure channel
Main mode
security association
Key life configurable
Default: 8 hours
IKE
Kerberos / certificates
or preshared keys
IKE
Establish IPSec session Keys
IKE
IPsec SA
Create Security Association for session
IPsec SA
IPsec driver
_______
Kimberry
Associates
www.kimberry.co.uk
Exchange data
Integrity
or
Integrity + encryption
IPsec driver
Quick mode:
IPsec SA
Key life configurable
Default 1 hour/100 MB
Drops after 3 Mins
of inactivity
73
IPsec Implementation
AD
Group Policy
Policy agent
Registry
IKE
IPsec Driver
Monitoring
_______
Kimberry
Associates
www.kimberry.co.uk
74
Data Exchange
Protocol ID 51
IP Header
AH
Authentication Header (AH) contains:
Protocol ID of payload (TCP/UDP/ICMP…)
Sequence number – prevents replay
Security Parameters Index – Identifies IPsec SA
Integrity Check value (ICV) calculated with SHA1 or MD5
IP payload
Signed - ignoring ICV field and
fields that change in transport
Protocol ID 50
IP Header ESP
Encrypted Security Protocol
Encrypted
IP payload
ESP ICV
ESP headers contain:
Protocol ID of payload (TCP/UDP/ICMP…)
Sequence number – prevents replay
Security Parameters Index – Identifies IPsec SA
Integrity Check value (ICV)
signed
When you just want integrity through NAT use ESP-Null
_______
Kimberry
Associates
www.kimberry.co.uk
75
Creating an IPsec Policy
(Simplified)
IPsec policy
Traffic profile filter
Action if traffic matches profile
Block
_______
Kimberry
Associates
www.kimberry.co.uk
Permit
Authenticate
Property: If authentication required
Main mode negotiation methods and configuration
<Protocol> <source IP> <destination IP> <source port> <destination port>
Property: If authentication required
Authentication requirements: Kerberos/Certificates/preshared key
Fallback options
76
Rules
If the incoming or outgoing traffic matches any of
the profiles in the filter list the associated action is performed
Traffic profile filter
Traffic profile filter
Traffic profile filter
A Filter List, groups together
multiple IP Filters
Filter List
Filter List
A Rule associates
a Filter List
and Filter Action
Filter List
Filter Action
Filter Action
Filter Action
• Multiple Rules, IP Filters, Filter Lists and Filter
Actions can be defined in the database
• A policy can have one or more rules
_______
Kimberry
Associates
www.kimberry.co.uk
77
Negotiated Security Options
• Default Response
– A host responds to IPsec requests, but never initiates IPsec
• Request Mode
– A host responds to both IPsec and unauthenticated (nonIPsec) requests
– It initiates communications with IPsec, and if that fails, falls
back to unauthenticated communications
• Secure Request Mode
– A host responds to requests secured by IPsec, and ignores
unauthenticated requests
– It initiates communications with IPsec, and if that fails, falls
back to unauthenticated communications
• Full Require Mode
– A host requires IPsec-secured communications for both
inbound and outgoing requests
_______
Kimberry
Associates
www.kimberry.co.uk
78
Setting Options


Request Mode

Secure Request Mode
Full Request Mode
_______
Kimberry
Associates
www.kimberry.co.uk
79
Simplify Deployment
Leave boundary servers
in this mode
Phase 1
Request Mode
When IPsec is operational
on all computers
• See KB 914841 hotfix
Phase 2
Secure Request Mode
Phase 2
Full Require Mode
Trusted computer
High value environment
Can access non IPsec
computer
Blocks access to/from
non IPsec computers
_______
Kimberry
Associates
www.kimberry.co.uk
– Supports XP and 2003
– The fallback to clear timeout value is reduced from 3
seconds to 500 milliseconds
(ms)
– Credential and policy
mismatch failures are now
permitted to use the fallback
to clear functionality
80
Domain Isolation
Request mode
Secure Request mode
Require encryption
AD
• Deploy group policy at domain level
– Must have clear channel to domain controller
• Apply policy based on computer group membership
– Deny policy for non IPsec computers
• There will be exceptions to this simple approach
– KB 914841 hotfix (March 2006 ) reduces the need for exceptions
• Requires registry change
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\
– IKEFlags=0x14
• Keep Ping alive
– Required for troubleshooting
• Careful planning is essential
_______
Kimberry
Associates
www.kimberry.co.uk
81
IPsec Caveats
Non – IPsec
client
XP/2003
Initiates connection with fallback
IPsec
Secure Request mode
Soft SA allows communication
in both directions
All ports exposed
XP
Broadcast /multicast
Non – IPsec
client
Replies with fallback
Soft SA allows communication
in both directions
All ports exposed
_______
Kimberry
Associates
www.kimberry.co.uk
IPsec
Secure Request mode
IPsec broadcast
exemption on
Windows XP
82
Server Isolation
Enable encryption if required
X
X
Control Server access via group policy
Set the User Rights Assignment:
Access this computer from the network
HR Client
High asset
HR servers
X
Server
isolation
HR Clients & Servers
Set IPsec policy to Secure
_______
Kimberry
Associates
www.kimberry.co.uk
HR Users
83
IPsec and Firewalls
Hot stuff IPsec!
• Allow ISAKMP traffic inbound and outbound
– UDP Port 500
• Allow Encapsulating Security Protocol (ESP) inbound
and outbound
– IP Protocol ID 50
• Allow Authentication Header (AH) inbound and
outbound
– IP Protocol ID 51
• For NAT use ESP-Null
_______
Kimberry
Associates
www.kimberry.co.uk
84
Keys to Success
• High-level deployment steps:
–
–
–
–
–
–
–
_______
Kimberry
Associates
www.kimberry.co.uk
Define goals for deployment
Document infrastructure components and usage
Create machine groups in Active Directory
Design IPsec policies and exceptions
Validate policies by deploying in “request mode”
Gradually add computers to managed domain
Refine policies and interoperability plans
Implementing server security
86
One Size Does Not Fit All
• Server hardening must be in response to the
environment
– Trust and compatibility levels will vary
• Hardening often initially breaks the
system/applications
– Harden and test in your reference environment
before deploying into production
– Introduce security changes early in your
deployment cycle
_______
Kimberry
Associates
www.kimberry.co.uk
87
Traditional Approach
• Server security implemented via group policy
– Policy settings have been manually configured or
imported from security templates
• Refer to Microsoft documentation and
templates
– “Windows 2003 Security Guide”
– “Threats and Countermeasures: Security Settings
in Windows Server 2003 and Windows XP”
_______
Kimberry
Associates
www.kimberry.co.uk
88
Security Template
[Event Audit]
AuditSystemEvents = 1
[System Access]
LSAAnonymousNameLookup = 0
[System Log]
MaximumLogSize = 16384
[Privilege Rights]
SeInteractiveLogonRight = *S-1-5-32-544
[File Security]
"%systemRoot%\system32\tlntsvr.exe",1,"D:PA
R(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"
[Registry Values]
MACHINE\System\CurrentControlSet\Services\
Tcpip\Parameters\EnableDeadGWDetect=4,0
_______
Kimberry
Associates
www.kimberry.co.uk
• MS templates and
recommendations for
– Legacy client (LC)
– Enterprise client (EC)
– Specialized Security Limited Functionality
(SSLF)
You MUST test before
deploying these templates
89
Managing Templates
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1"
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,1
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun=4,255
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation=4,1
• Security Templates snap-in
_______
Kimberry
Associates
www.kimberry.co.uk
90
[Registry Values]
• Security related registry values that are not
defined via .adm files can be embedded in
the security templates
– These changes tattoo the registry and have to be
backed out using another template or manually
with regedit.exe
– Some registry values are not exposed through the
Security Configuration Editor UI
• Can be manually added to the template file
• SCE UI can be updated
_______
Kimberry
Associates
www.kimberry.co.uk
91
SCE UI
Registry values exposed through
%systemroot%\inf\sceregvl.inf
[Register Registry Values]
;
; Syntax: RegPath,RegType,DisplayName,DisplayType,Options
; where
;
RegPath:
Includes the registry keypath and value
;
RegType:
1 - REG_SZ, 2 - REG_EXPAND_SZ, 3 - REG_BINARY, 4 - REG_DWORD, 7 - REG_MULTI_SZ
;
Display Name: Is a localizable string defined in the [strings] section
;
Display type: 0 - boolean, 1 - Number, 2 - String, 3 - Choices, 4 - Multivalued, 5 - Bitmask
;
Options:
If Displaytype is 3 (Choices) or 5 (Bitmask), then specify the range of values and corresponding display strings
;
in value|displaystring format separated by a comma.
• After making changes compile to sceregvl.pnf
by running regsvr32 scecli.dll
_______
Kimberry
Associates
www.kimberry.co.uk
92
Using Templates
Right-click
• Imports security settings in to GPO
_______
Kimberry
Associates
www.kimberry.co.uk
93
Applying Group Policy
• Where policy settings
are mutually exclusive
2
Site
Group Policy
– The last applied policy
takes precedence
3
Domain
Group Policy
4
Resources
Resources OU
Group Policy
5
LSDOU…
_______
Kimberry
Associates
www.kimberry.co.uk
FileServers FileServers OU
Group Policy
1
Local
Group Policy
94
Link Order
• Implement changes to the default by adding
an additional policy
– Set precedence for this policy by moving it to the
top of the list
– Disable changes by unlinking the policy
_______
Kimberry
Associates
www.kimberry.co.uk
95
Baseline and Deltas
Domain
Group Policy
Applies:
Password policy
Account lockout policy
Kerberos policy
Legal
Resource servers
Legal-BaselineMemberServer
group policy
FileServers
_______
Kimberry
Associates
www.kimberry.co.uk
Legal-FileServerDelta
group policy
WebServers Legal-WebServerDelta
group policy
• Define a policy that
provides baseline
security for all
servers
– Add deltas that
implement additional
server specific
security
96
Shared Services
• Ideally dedicate servers for individual
services
– Provides maximum potential for lockdown
• Where multiple services have to be run
on a single server
– Security settings will need to address the
requirements of all services
– Consider running virtual instance of each
server
_______
Kimberry
Associates
www.kimberry.co.uk
97
OU Design is Important
Legal
Resource servers
Legal-BaselineMemberServer
group policy
AD Delegation:
Management of computer objects
Use: delegation wizard
Management of GPOs
Requires ability to create and link GPOs
Use GPMC
Delegate file server admin
Use restricted groups
FileServers
Legal-FileServerDelta
group policy
WebServers
Legal-WebServerDelta
group policy
_______
Kimberry
Associates
www.kimberry.co.uk
98
New ways…
• Windows 2003 SP1 includes the Security
Configuration Wizard (SCW)
– Disables unneeded services
– Blocks unused ports
– Allows further address or security restrictions for
ports that are left open
– Prohibits unnecessary IIS web extensions
– Reduces protocol exposure to server message
block (SMB), LanMan, and Lightweight Directory
Access Protocol (LDAP)
– Defines audit policy
_______
Kimberry
Associates
www.kimberry.co.uk
99
Security Configuration Wizard
XML database of server
roles and preferences
Identified
roles
XML
SCW
Scans reference computer
Reference computer should be clean install
Similar hardware of production servers
Install all common applications – Virus scanners etc
SCW must be installed on all servers with which it is used
works for Windows Server 2003 SP1 only
_______
Kimberry
Associates
www.kimberry.co.uk
100
System Lockdown Options
• Defines system
lockdown policy
based on server
roles
–
–
–
–
–
_______
Kimberry
Associates
www.kimberry.co.uk
Services
Firewall
Registry
Auditing
IIS
Saves policy
XML
View with SCW Viewer
(does not show template settings)
For additional security setting
add security templates
101
Deploying Policy
Deploy against single/multiple servers
XML
Specify multiple severs
via file list or OU
Changes can be rolled back
Analyze compliance
XML
Convert to security template
XML
• Some options available through GUI
• All options use the SCW command line tool
– scwcmd.exe
_______
Kimberry
Associates
www.kimberry.co.uk
Deploy via
Group policy
102
Microsoft Guidance
• SCW with its rollback capability provides a
good way to test before deploying through
group policy
• For details of using SCW in combination with
Group Policy, see
– “Windows Server 2003 Security Guide”
• See also
– “Threats and Countermeasures: Security Settings
in Windows Server 2003 and Windows XP”
_______
Kimberry
Associates
www.kimberry.co.uk
103
Software Restriction Policies
• SRP disables/enables the execution of
program files
• Files can be processed based on
– Hash value
– Certificate
– Path
• Simplest to specify and maintain
– Internet zone
• Only applicable to Windows Installer files
_______
Kimberry
Associates
www.kimberry.co.uk
104
Program Lockdown
I can’t run my
downloaded
games
Unrestricted execution
Windows
System 32
Restrict unwanted programs
User must be denied write
access to all unrestricted
folders
Restricted execution
Program files
Unrestricted execution
• Filter based on path
• Disallowed option will need careful testing to
make sure all required applications execute
_______ – Check all application dependencies
Kimberry
Associates
www.kimberry.co.uk
105
Troubleshooting Lockdown
• Use Event Viewer to troubleshoot
lockdown
– If you are too restrictive you can block
access to a system
_______
Kimberry
Associates
www.kimberry.co.uk
• Use a virtual machine that can be reset to
recover while testing
Vista technologies…
107
Windows Vista for Business
• Windows Vista Business
– New user interface, named Windows Aero™
– New ways to retrieve and manage documents
• Windows Vista Enterprise
– Vista Business +
• Windows BitLocker™ Drive Encryption
• Virtual PC Express
• Windows Vista Ultimate
– Vista Enterprise +
• Multi media capabilities
_______
Kimberry
Associates
www.kimberry.co.uk
108
Core Platform Enhancements
• From start to finish engineered with Security
Development Lifecycle process
• Many kernel and user mode changes
• As an example, services have had a major
overhaul
– Run in session 0, user session run at 1 and above
– Realigned to run with least privilege
– Unnecessary privileges stripped from token at
service start up
– SID associated with services allowing permissions
to be set on system resources
– Service network access can be controlled
_______
Kimberry
Associates
www.kimberry.co.uk
109
Code Execution Protection
Injects and
executes code
Memory
Memory
Code
Code
Data
Data
status access violation exception
process terminated
Virus
Worm
Malware
Hacker
• NX (DEP) protects data from being executed
– Prevents against buffer overflow attack
– An ISV can mark their code as NX-compliant
• Vista also improves heap buffer overflow
detection
– Terminates misbehaving process
_______
Kimberry
Associates
www.kimberry.co.uk
110
Address Space Layout
Randomization (ASLR)
Memory
I know where
that OS DLL
is loaded!
Virus
Worm
Malware
Hacker
Pre Vista
**@
! ?
Virus
Worm
Malware
Hacker
Memory
Vista
• ASLR randomly assigns DLL and EXEs to
one of 256 locations
– Just got harder for malware!
_______
Kimberry
Associates
www.kimberry.co.uk
So what affects the user and
administrator?
- Apart from the new interface
112
Vista - User Account Control
Windows
Defender
+
Anti virus
You can no longer take
over my computer!
I can still trample over
all of your data
• Users run as a standard user
• So do administrators
– When require privileges can be elevated
• Via a simple prompt or by supplying credentials
• Only the appropriate process is elevated
_______
Kimberry
Associates
www.kimberry.co.uk
113
Many changes
Users can now
– Change time zone
– Install Wired Equivalent Privacy (WEP) to connect
to secure wireless networks
– Change power management settings
– Add printers and other devices
• Drivers preinstalled on computer or allowed by an IT
administrator in Group Policy
– Install ActiveX Controls from sites approved by an
IT administrator
– Create and configure a Virtual Private Network
connection
_______ – Install critical Windows Updates
Kimberry
Associates
www.kimberry.co.uk
114
UAC Architecture
Member of the local
Administrators group
Access Token
User SID
Administrators
Administrative Rights
Users
Others
Logon
Admin Token
Split Token
Access Token
User SID
Users
Others
“Standard User”
Filtered Token
_______
Kimberry
Associates
www.kimberry.co.uk
Standard User Rights
115
UAC Architecture
Standard User Rights
• Change Time
Zone
Member of the local
Administrators group
Access Token
User SID
Users
Others
“Standard User”
Filtered Token
Virus
Worm
Malware
Hacker
• Run Standard
User Compliant
Applications
• Install Fonts
• Install Printers
• Run MSN
Messenger
X
Requiring admin Blocked
privileges
May cause prompt
for elevation
_______
Kimberry
Associates
www.kimberry.co.uk
User Processes
Your choice!!
Many of the
operations that
previously
needed
administrator
privileges have
been changed
116
UAC Architecture
Administrative Rights
Member of the local
Administrators group
Access Token
User SID
Manage users
Administrators
Users
Others
Admin Process
Admin Token
Check that you want to do this!
Virus
Worm
Malware
Hacker
_______
Kimberry
Associates
www.kimberry.co.uk
• Elevation options set via
policy to:
Malware can ride along with the elevation
It is not a security boundary
– Elevate with no prompt
– Elevate with prompt
– Elevate with credentials
117
Secure Desktop
• The Secure Desktop
blocks interaction
with the user’s
interface
– Malware cannot steal
information from the
Secure Desktop
• A user could still craft a trojan that looks like
the secure desktop
_______ – Never enter your credential unless you have been
Kimberry
Associates
www.kimberry.co.uk
prompted
118
Incompatible Applications
• Most applications that require
administrative privileges are
– Writing to a restricted registry key
– Writing to a restricted file system directory
• EG the Program Files directory
• Vista virtualises folders, files and
registry
_______
Kimberry
Associates
www.kimberry.co.uk
119
Redirection Locations
• Redirection removes need for elevation
– Writes to HKLM go to HKCU redirected
store
• ……
– Writes to system directories redirected to
per-user store
• (%localappdata%\virtualstore)
_______
Kimberry
Associates
www.kimberry.co.uk
120
So Can I do This with XP - Yes
Compatibility Administrator
_______
Kimberry
Associates
www.kimberry.co.uk
121
Tools You Should Know About
• Microsoft Application Compatibility
Toolkit 5.0
– Includes Compatibility Administrator
• Standard User Analyzer
• Application Verifier
• Download from Microsoft web
– All free!
_______
Kimberry
Associates
www.kimberry.co.uk
How about the TCP/IP stack
123
Biggest Change Since Windows 95!
Winsock
User Mode
TDI Clients
WSK Clients
AFD
Kernel Mode
TDI
WSK
TDX
Next Generation TCP/IP Stack (tcpip.sys)
IPv6
IPv4
802.3
RAW
UDP
WLAN
Loopback
IPv4
Tunnel
IPv6
Tunnel
Windows Filtering
Platform API
TCP
NDIS
•
•
•
•
Dual-IP layer architecture for native IPv4 and IPv6 support
Seamless security through expanded IPsec integration
Improved performance via hardware acceleration
Network auto-tuning and optimization algorithms
_______
Kimberry
Associates
www.kimberry.co.uk
124
Routing Compartments
C1
S1
App1
S2
C2
S3
App3
App4
IF 2
IF 3
App2
User
Kernel
IF 1
• Interfaces isolated in virtual compartments
• One routing table per compartment
• Applications run in only one compartment
• Isolation enforced in Kernel mode
_______
Kimberry
Associates
www.kimberry.co.uk
125
Three Network Classifications
• Public
– Connected to a network that has a direct Internet access
• Private
– Connected to a network that has some level of protection
from the Internet
• Domain
– Connected to a network that contains a domain controller for
the domain to which the computer is joined
• Different rules and policies can be applied to each
classification
– Firewall
– IPsec
_______
Kimberry
Associates
www.kimberry.co.uk
126
Windows Firewall
with Advanced Security
• Combined firewall and
IPsec management
– New management tools
•
Windows Firewall with
Advanced Security snap-in
• Group policy
• Firewall rules become
more intelligent
• Inbound and outbound
filtering
_______
Kimberry
Associates
www.kimberry.co.uk
All these settings, requires
new group policy
128
Key Enhancements
•
Group Policy Management Console (GPMC) built in
– Support for Vista policies, no major new features
•
Support for multiple local GPOs
– Machine (same LGPO as today)
– Admin or non-Admin local groups
– Individual local users
•
Application order LSDOU as before
– Local order machine, group, user
•
New policy setting: Exclude processing of all local GPOs
_______
Kimberry
Associates
www.kimberry.co.uk
129
Network Awareness
• Group policy leverages Network
Awareness
– If group policy refresh fails, it tries again
when the network is reconnected
– Group policy subscribes to DC availability
notification
• No more Pings
– Enhanced logging through event viewer
_______
Kimberry
Associates
www.kimberry.co.uk
130
New Template Files
• ADM files are replaced by ADMX (XML)
– ADM and ADMX files can coexist
– Multilingual support via associated ADML
– Local or central storage of files
• [sysvol]\policies\policydefinitions
– Not stored in each policy
• Once centrally published the local files are
ignored
_______
Kimberry
Associates
www.kimberry.co.uk
131
Policy Settings For All…
Removable
Storage
Devices
IPsec /
Windows
Firewall
Windows
Defender
Network
Access
Protection
User Account
Control
Wired and
Wireless
Policy
Power
Management
Internet
Explorer
Desktop Shell
Printer
Management
Troubleshooting
& Diagnostics
Tablet PC
Windows Error
Reporting
Globalization
Remote
Assistance
• 1,800+ policy settings for XP/2003
• 2,400+ in Windows Vista
_______
Kimberry
Associates
www.kimberry.co.uk
How do we block unhealthy
clients from our network?
Network Access Protection
(NAP)
Policy Servers
e.g. Patch, AV
3
1
2
Not policy
compliant
Windows
Client
MSFT NPS
DHCP, VPN
Switch/Router
Client requests access to network and presents current
health state
2
DHCP, VPN or Switch/Router relays health status to
Microsoft Network Policy Server (RADIUS)
3
Network Policy Server (NPS) validates against IT-defined
health policy
If not policy compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
5
If policy compliant, client is granted full access to
corporate network
Fix Up
Servers
Restricted
Network
e.g. Patch
Policy
compliant
1
4
4
5
Corporate Network
134
NAP - Enforcement Options
Enforcement Healthy Client
Unhealthy Client
DHCP
Full IP address given,
full access
Restricted set of routes
VPN (Microsoft
and 3rd Party)
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate
with any trusted peer
Healthy peers reject
connection requests from
unhealthy systems
IPsec
_______
Kimberry
Associates
www.kimberry.co.uk
• Complements layer 2 protection
• Works with existing servers and infrastructure
• Flexible isolation
135
Many More Features
If only we had another day…
_______
Kimberry
Associates
www.kimberry.co.uk
So where next?
137
Is your IT Infrastructure Secure?
Make sure you
can answer YES
Answer with Authority
_______
Kimberry
Associates
www.kimberry.co.uk
Show you have
done due
diligence
138
Is your infrastructure secure?
Our infrastructure matches the
requirements of our security
policy
Balancing the need for security, user
requirements, and compliance
_______
Kimberry
Associates
www.kimberry.co.uk
139
How do you know you policies are
correct?
We regularly run our Risk
Management Process
_______
Kimberry
Associates
www.kimberry.co.uk
140
How do you know your
infrastructure will remain secure?
We perform regular assessments
and audits
_______
Kimberry
Associates
www.kimberry.co.uk
141
What happens if you are
exploited?
We have a tried and tested
response plan
_______
Kimberry
Associates
www.kimberry.co.uk
142
It’s a Long and Winding Road
Think security
Thanks for coming to the seminar
Hope to see you again
_______
Kimberry
Associates
www.kimberry.co.uk
Shameless Plug…
• Order on the web www.kimberry.co.uk
• Use discount code KB3955 (45% discount)
_______
Kimberry
Associates
www.kimberry.co.uk
143
144
Consultancy
• Please contact us directly for
comprehensive consulting services
– [email protected][email protected]
_______
Kimberry
Associates
www.kimberry.co.uk