Effective Windows Desktop Security

Download Report

Transcript Effective Windows Desktop Security 

EDUCAUSE
Midwest Regional 2008
Effective Windows
Desktop Security
John Bruggeman, [email protected]
Director of Information Systems
Hebrew Union College – Jewish Institute of Religion
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Windows Desktop Security !
Agenda
 Windows Security
• Defense in Depth
– 4 walls of protection
• Top Vulnerabilities
• Frequent Mistakes
 EDUCAUSE Security Taskforce Effective Practices
• EP’s on many areas, not just Windows
 Tools that work
• Comodo Firewall, Spybot Tea Timer, MBSA,
• Demo Spybot & Comodo
 Questions & Answers
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Copyright Notice
Copyright John Bruggeman, 2008. This work is the intellectual property of
the author. Permission is granted for this material to be shared for noncommercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is
by permission of the author. To disseminate otherwise or to republish
requires written permission from the author.
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Who am I?
John Bruggeman
 Director of Information Systems (and
Telecommunications)
 Hebrew Union College – Jewish Institute of Religion
• 4 Campus – LA, NY, Cincinnati, Jerusalem
• Responsible for all IS and Telcom issues
• 4 staff (one per campus plus one Website Manager)
 GSEC certified in 2003, recertified in 2005
 GCWN certified in 2008 (Windows Security)
 Active in INFRAGARD and EDUCAUSE Security
Task Force
 Advocate for IT Security –
• We are only as secure as our weakest link!
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth
4 Layers of Defense – 4 Walls
 Wall 1 – Blocking attacks at the Network (IPS and IDS)
• Tools to use at the Network, beyond a traditional firewall
 Wall 2 – Blocking attacks at the Host (IPS and IDS)
• Tools to use on the PC
– Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware
 Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20)
• Windows Vulnerabilities
 Wall 4 - Safely supporting Authorized Users
• Balancing security and access
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Layer 1 – Blocking Attacks at the Network
 IPS (Intrusion Protection Systems)
• Block traffic before it penetrates
• Checks “content” of traffic and allows or denies
 IDP (Intrusion Detection Systems)
• Notices when a system has been compromised (post attack)
 Firewall / Malware detection at the perimeter
• Classic firewalls are being replaced with IPS devices
• Appliance Firewalls for small institutions
– 3 Com Office Connect, Fortinet, Sonic Wall
• Big Iron for large institutions
– Check Point, Juniper
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth – cont.
Layer 2 – Blocking Attacks at the Host
 Host Intrusion Prevention Systems
• Spybot TeaTimer, Symantec AV & IPS
– Blocks un-authorized application loading
– AV IPS use behavior patterns not static patterns
 Personal Firewalls
• Comodo Firewall / IPS, ZoneAlarm
– Same as hardware firewalls, allows only allowed traffic
– Stealth mode hides computer from hacker scans
– Egress filtering helps deter “phone home” by Trojans
• XP SP2 aka ICF
– ICF overview
» ICF stateful packet filter, “unfriendly” user interface
» No egress filtering, no immediate notifaction
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth - cont
Windows Vista security features include:









Hardened services
User Account Control (UAC)
Windows Defender (Anti-Spyware)
Windows Firewall enhancements
Network Access Protection
Internet Explorer Protected Mode
Phishing Filter
BitLocker Drive Encryption
Rights management
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Vista Enhancements
User Account Controls
 Enables a user to have a non-administrator
account and still be productive
 All users operate a lowest possible privileges
 Vista has a special account that runs in AAM
(admin approval mode)
• Means that the user either supplies administrative
credentials or consents (depending on group
policy settings) to perform typical admin functions
– EXAMPLE: install a program
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Vista Enhancements
Vista Firewall – Improved! (Yeah!!)
 The Windows Vista firewall will now have the
ability to block outgoing traffic
 Windows XP only blocked incoming traffic
 Provides the ability to stop peer-to-peer
connections
 Provides the ability to stop instant messaging
programs
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
ICF Screen shot
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Comodo Firewall
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Windows Vista Firewall
Both inbound and
outbound
Authentication and
authorization aware
Outbound applicationaware filtering is now
possible
 Includes IPSec management
 Of course, policy-based
administration
 Great for Peer-to-Peer
control
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth – cont.
Layer 2 – Blocking Attacks at the Host
 Personal Anti-Malware
• Spybot Search and Destroy, Symantec, Microsoft Windows
Defender, Sunbelt Counter-Spy, Tenebril SpyCatcher
• Pattern matching for known signatures
 Network Access Control – Host Based
• Clients of NAC’s the verify configuration and patch level.
• Can enforce network policy, quarantine computers that do
not comply with the policy
– Bradford Networks, Cisco Clean access, ISS products
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
SpyBot Normal
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
SpyBot - Immunize
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
SpyBot - Advanced
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
SpyBot - Tools
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
SpyBot - Tools
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth – cont.
Layer 3 – Eliminating Security Vulnerabilities
 Vulnerability Management and Testing
• Know your systems – are they patched?
 Patch Management
• Use patch management systems to keep clients current
– WSUS, BigFix
 Application Security Testing
• Tools from Foundstone and Source Forge can help with
application testing
– http://www.foundstone.com/us/resources-free-tools.asp
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Layer 3 – Eliminating Security Vulnerabilities

SANS Top Vulnerabilities in Windows Systems
– The SANS (SysAdmin, Audit, Network, Security) Inst.
•
From the SANS website www.sans.org
1)Windows Services
2)Internet Explorer
3)Windows Libraries
4)MS Office and Outlook Express
5)Windows Configuration Weaknesses
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Layer 3 – Eliminating Security Vulnerabilities
 Acronyms Galore!
• CVE, CPE, CCE, CVSS, OVAL, SCAP, NVD
–
–
–
–
–
–
–
Common Vulnerabilities and Exposures (CVE)
Common Platform Enumeration (CPE)
Common Configuration Enumeration (CCE)
Common Vulnerability Scoring System (CVSS)
Open Vulnerability and Assessment Language (OVAL)
Security Content Automation Protocol SCAP (s Cap)
National Vulnerability Database
• SCAP – http://nvd.nist.gov
• MITRE – http://cve.mitre.org, http://cpe.mitre.org
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Top Vulnerabilities in Windows Systems

From the SANS website www.sans.org
1) Windows Services
•
•
March 18th, 2008
Critical Vulnerabilities were discovered in these services in
2006
• Server service (MS06-040, MS06-035)
• iRouting and Remote Access Service (MS06-025)
• Exchange Service (MS06-019)
What to do?
• Disable Service if possible
• Scan for Vulnerabilities
• PATCH
EDUCAUSE MWR 2008 - John
Bruggeman
Windows Services
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
 From the SANS Website www.sans.org
2) Internet Explorer
– Multiple vulnerabilities were discovered in 2006 in IE
» Vulnerability in Vector Markup Language – Remote Code
Execution (MS06-055)
» Cumulative Security Update for IE (MS06-042)
» Vulnerability in Microsoft Jscript – Remote Code Execution
(MS06-023)
» Cumulative Security Update in IE (MS06-021, MS06-013,
MS06-004)
– How to mitigate
» On XP, install SP2, Upgrade to IE 7
» On 2000, NT, keep patches current
» Use DropMyRights from MS to lower IE privileges
» Check your Broswer Helper Objects (BHO) for spyware
» Disable Scripting and ActiveX
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Windows IE settings
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
From the SANS Website www.sans.org
3) Windows Libraries
• DLL’s can have buffer overflow vulnerabilities
• Vulnerabilties discovered in 2006
–
–
–
–
•
•
•
•
Vulnerability in HTML Help Could allow RCE (MS06-046
Vulnerability in Windows could allow RCE (MS06-043)
Vulnerability in Graphic Rendering Engine (MC06-001, 026)
Vulnerability in Embedded Web Fonts (MS06-002)
Patch your system and scan for vulnerabitlites
Use least privileges where possible
Filter IP ports 135-139, 445,
Use an IPS and IDS
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
 From the SANS Website www.sans.org
4) MS Office and Outlook Express
– Attack vectors are email attachments, website documents, and
news servers
– Several critical vulnerabilities in 2006
» PowerPoint RCE – (CVE-2006-5296
» Word Malformed Stack Vulnerability (MS06-060)
» Office and PowerPoint MSO.DLL (MS06-062, 048)
» Excel Multiple RCE (MS06-059)
» PowerPoint Malformed Record (MS06-058)
» Visio, Works and Project VBA (MS06-047)
» Office Malformed String Parsing (MS06-038)
» Excel Malformed SELECTION record (MS06-037)
» Word Malformed Object Pointer )MS06-027)
» Outlook and Exchange TNEF Decoding (MS06-003)
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
 MS Office and Outlook continued
• Check your systems with a vulnerability scanner
– MSBSA, Windows Update,
• Mitigate by patching, disable IE feature of opening
Office documents
• Configure Outlook with enhanced security
• Use IPS and IDS
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
 From the SANS Website www.sans.org
5) Windows configuration Weaknesses
– Weak passwords on accounts or network shares
» LAN Manager hashes are weak and should be replaced
with stronger more current hash techniques
» Default configuration for servers and applications can open
machines to password guessing.
» MSDE ships with SA account set with a blank password.
» Several worms take advantage of this, Voyager, Alpha
Force, SQL Spida use known weak configurations to
spread
– Enforce a strong password policy
– Prevent Windows from storing the LM hash in AD or the SAM
– Disable NULL shares and restrict anonymous access
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Frequent Mistakes made in Windows Security
• www.sans.org/reading_room/whitepapers/windows/1016.php
 Allowing Null Sessions
• http://www.microsoft.com/technet/security/bulletin/ms99-055.mspx
• http://www.microsoft.com/technet/security/prodtech/windows
2000/secwin2k/swin2k06.mspx
 Weak Lockout Policies
• http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspx





Weak Account Policies
Multiple Trust relationships
Multiple Domain admin accounts
Audit logs turned off
Automatic Updates turned off
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Password Policies
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Common Password Myths
1. Password hashes are safe using NTLMv2
2. Hr^y*Pwe(1#$ is a great password
1. [email protected] is better
3. 14 Characters is the Optimal length
1. Passwords over 14 characters have an invalid hash stored
4.
5.
6.
7.
8.
M1ke100 is a good password
Eventually any password can be cracked
Passwords should be changed every 60 days
You should never write down your password
Passwords can’t include spaces
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Frequent Mistakes made in Windows Security
 Updates turned off
• SANS, Gartner Group, others report that 80-90% of attacks
are from known vulnerabilities.
• SQL Slammer, W32.Slammer in 2005 attacked a known
vulnerability that had a patch available 6 months before it hit.
 Need to patch systems and keep them current
• Does require a patch management strategy
• Will require time
• Payoff is less downtime
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Patching Windows
 What to Patch
• OS
• Applications
 Types of Patches from MS
• Hotfix, Update, Critical Update, Security Patch,
Update Roll-up, Service Pack
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
How to Patch
 Develop a Plan
•
•
•
•
•
•
•
Hardware and Software Inventory
Patch management Policy & Process
Include a notification process
Track & check patch level
Download and test patches prior to deployment
Deploy patches
Audit workstations for compliance
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
How to Patch
 Tools from Microsoft (MS)
• Analysis tool from MS, Microsoft Baseline Security
Analyzer (MBSA)
• Online update services –
– Microsoft Update, Windows Update, or Download Center
• Push / Management tools
– WSUS server, SMS server, Group Policies
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
How to Patch
 Tools from Microsoft
• Microsoft Update is different than Windows Update
– MU updates all MS products not just windows
» Office updates, Server product patches
• WSUS is updated SUS server
– New version coming out, WSUS 3.0 in Beta now
– www.microsoft.com/wsus
– Target client installs, selective client patching, uninstall
options
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
How to Patch
 Commercial Tools
• Altiris Patch Management
– www.altiris.com
• BigFix Patch Manager
– www.bigfix.com
• Ecora Patch Manager
– www.ecora.com
• LanDesk Patch Management
– www.landesk.com
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Testing and Verification
 Patch systems are not perfect, you need to test after
patches have been applied
 Tools
• Microsoft Baseline Security Analyzer 2.1 (Beta)
– Used for Vista and below
• MBSA 2.0
– Used for Windows 2000 + SP3 and later
– Office XP and later
– Exchange 2000 and later
• MBSA 1.2.1
– Office 200
– Exchange 5.0 and 5.5
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Hardening Windows
 Hardening techniques
• Limit services
– Verify what services are needed
– On servers, usually these can be disable
» IIS (unless needed), Fax service, Indexing service,
Messenger, Telnet, Remote Access, QoS RSVP,
others.
– On workstations disable unless needed
» Fax service, Indexing service, messenger, Telnet,
others
» Enable firewall
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Hardening Windows
 Hardening techniques
• Limit applications
– Verify what applications are needed, many can be
removed without impacting functionality
– On servers, usually you can remove the following
» Outlook Express, IIS, Media Player, Journal viewer,
Games, POSIX, OS2 subsystem
– On workstations, usually you can remove the same
– Limit what applications end users can run
– Do not allow end users to install applications
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Hardening Windows
 Hardening techniques
• Limit protocols
– Verify what protocols are needed for your network
» On servers normally TCP/IP is sufficient
» On workstations normally TCP/IP is all that is needed
» Remove IPX/SPX, NetBios,
• Limit Network devices
– Bluetooth (disable unless needed)
– Wireless (disable unless needed)
– Firewire (disable unless needed)
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Hardening Windows
 Firewalls
• Host based firewalls
– Server options
» Windows 2003 SP1 firewall option
– Workstation options
» XP SP2, ZoneAlarm, Comodo Firewall
» 85 listed on Download.com
– Vista
» Much better default settings in Vista
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Hardening Windows
 Intrusion Protection Systems
• IPS vs IDS
– Why detect when you can protect?
– Signature vs Anomoly
• IPS can be host or network based
• IPS Host options
– EEye BLINK, Prevx Home
• IDS host options
– SFC System File Check from MS (can be spoofed)
– LanGuard
• IPS Network options
– Forescout, Tipping Point, McAfee, ISS are options
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Layer 4 – Safely supporting authorized Users
 ID and Access Management
• Verify that the right people are allowed to use a system
• Two factor authentication
– Pass phrase and token
• Three factor authentication
– Pass phrase, token, biometric
 File Encryption
•
•
•
•
Encrypt your sensitive data and your backups!
USB drive encryption
Backup encryption
BitLocker in Vista – the start of HD encryption
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Defense in Depth cont.
Layer 4 – Safely supporting authorized Users
 Secure Communication
• SSL, encrypted tunnels, VPN’s
– SSL firewalls are hot / popular
» Easy for the end user to use
 PKI – Public Key Infrastructure
• Digital certificates, public key cryptography, Certificate
Authorities
• Big topic, lots of details here but adds a significant layer of
security for the end users
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
EDUCAUSE Security Task
Force Effective Practices
The EP group is a sub-group of the Security
Task Force
 Meets bi-weekly on Fridays via phone conference
 Active Security staff in the Higher Ed space
 Develops Effective Practices drawn from real world
staff
 Website link is:
• https://wiki.internet2.edu/confluence/display/secguide/Effectiv
e+IT+Security+Practices+and+Solutions+Guide
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
EDUCAUSE Security Task
Force Effective Practices
Current List of EP’s
















Access Control Systems and Methodology (IT Security Guide)
Applications and System Development (IT Security Guide)
Awareness and Training (IT Security Guide)
Business Continuity and Disaster Recovery (IT Security Guide)
Compliance and Legal Issues (IT Security Guide)
Confidential Data Handling Blueprint (IT Security Guide)
Data Incident Notification Toolkit (IT Security Guide)
Incident Handling and Forensics (IT Security Guide)
Operations Security (IT Security Guide)
Personnel Security (IT Security Guide)
Physical and Environmental Security (IT Security Guide)
Responsible Use and Ethics (IT Security Guide)
Risk Management (IT Security Guide)
Security Architecture and Models (IT Security Guide)
Security Policies and Procedures (IT Security Guide)
Telecommunications and Network Security (IT Security Guide)
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
EDUCAUSE Security Task
Force Effective Practices
My top picks from the list:






Confidential Data Handling Blueprint
Awareness and Training
Data Incident Notification Toolkit
Incident Handling and Forensics
Risk Management
Security Policies and Procedures
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
What about Vista?
Vista Security Enhancements
Threat and
Vulnerability Mitigation
IE –protected mode/antiphishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection
(NAP)
Fundamentals
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Identify and
Access
Control
User Account Control
Plug and Play Smartcards
Simplified Logon
architecture
Bitlocker
RMS Client
Tools that Work!
Tools and Techniques
 Open Source Tools for Networks testing
• MetaSploit
– Framework for testing exploits
• Nessus
– Scanning tool to check for vulnerabilities
• Ethereal
– Packet sniffer
 Microsoft Tools for Desktop Security
• MBSA 2.0.1
– MBSA 2.1 in Beta (Vista version)
•
•
•
•
ISS Lockdown Tool
Microsoft Defender (AV / Malware detector)
http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/protect/default.mspx
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Tools that Work!
Tools and Techniques
 Other Tools for Desktop Security
• Comodo Firewall (better than Zone Alarm)
• Spybot Tea Timer
– No cost IPS (though you can donate)
• Secunia PSI (Personal Software Inspector)
– Beta software that checks for current versions of
software installed on your PC
– https://psi.secunia.com/
• MS Defender
– MS anti-spyware / malware tool (Free)
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Tools that Work!
Tools and Techniques
 Rootkit revealers
• VICE – freeware
– http://www.rootkit.com/vault/fuzen_op/vice.zip
• Patchfinder - freeware
– http://www.invisiblethings.org
• Rootkit Revealer - freeware
– http://www.sysinternals.com/Files/RootkitRevealer.zip
• Blacklight – commercial from F-secure
– http://www.f-secure.com/
• Tripwire – file based integrity checking
– http://www.tripwire.com
– Not as useful anymore due to memory based rootkits
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Demos
Tools and Techniques
 Available Tools
• Spybot Tea Timer
– DEMO
• Comodo Firewall
– DEMO
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Windows Security Resources
Resources
•
•
•
•
•
•
•
www.educause.edu/security
www.microsoft.com/technet/security
www.sans.org/reading_room/whitepapers/windows
www.securityfriday.com
www.cert.org
www.hackingexposed
www.incidents.org
• http://www.foundstone.com/us/resources-free-tools.asp
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman
Wrap up and Q & A
Fundamental security practice?
 DEFENSE in DEPTH
• 4 Walls or layers of security
 Wall 1 – Block attacks at the Network (IPS and IDS)
 Wall 2 – Block attacks at the Host (IPS and IDS)
• Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware




Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20)
Wall 4 - Safely supporting Authorized Users
Perform a Risk Assessment
Don’t re-invent the wheel, ask questions, look online
Questions? Comments? Tips?
 My Email: [email protected] 513-487-3269
 http://www.huc.edu
March 18th, 2008
EDUCAUSE MWR 2008 - John
Bruggeman