Effective Windows Desktop Security

Download Report

Transcript Effective Windows Desktop Security 

EDUCAUSE
Security Conference 2007
Effective Security Practices for
Higher Education
Effective Windows Security
John Bruggeman, [email protected]
Director of Information Systems
Hebrew Union College – Jewish Institute of Religion
Cincinnati * New York * Los Angeles * Jerusalem
http://www.huc.edu
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !
Agenda
 Top Vulnerabilities in Windows Systems
• (Is there anything new?)
 Frequent Security mistakes
• (Avoid being 0wn3d by a b0t)
 Patching Windows
• (What happened to cleaning them?)
 Hardening Windows
• (Tempered Glass doesn’t count!)
 Tools and Tips
• (What do the Pro’s use and Hackers use?)
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Copyright Notice
Copyright John Bruggeman, 2007. This work is the intellectual property of
the author. Permission is granted for this material to be shared for noncommercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is
by permission of the author. To disseminate otherwise or to republish
requires written permission from the author.
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?
Top Vulnerabilities in Windows Systems

From the SANS website www.sans.org
1)
2)
3)
4)
5)
4/11/2007
Internet Explorer
Windows Libraries
Windows Services
MS Office and Outlook Express
Windows Configuration Weaknesses
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?
 From the SANS Website www.sans.org
1) Internet Explorer (95/98/ME/SE, NT, 2000, XP, 2003)
– Multiple vulnerabilities were discovered in 2006 in IE
» Cummulative Security Patch (MS06-042, 021, 013, 004,)
» Jscript vulnerability Remote Code Execution (MS06-023)
» Vector Markup Lang Remote Code Execution (MS06-055)
– How to mitigate
» On XP, install SP2 and IE7
» On 2000, NT, keep patches current
» Use DropMyRights from MS to lower IE privileges
» Check your Broswer Helper Objects (BHO) for spyware
» Disable Scripting and ActiveX
» Use another browser like Firefox or Opera
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?
 From the SANS Website www.sans.org
2) Windows Libraries (NT, 2000, XP, 2003)
– DLL’s can have buffer overflow vulnerabilities
– Vulnerabilties discovered in 2006
» Windows Explorer (MS06-057, 015)
» Hyperlink Object Library (MS06-050)
» HTML Help remote code exec (MS06-046, MS05-026)
» Windows allow remote code execution (MS06-043)
» Graphic Rendering Engine remote code (MS06-026, 001)
» Embedded Web fonts remote code (MS06-002)
– Patch your system and scan for vulnerabitlites
– Use least privileges where possible
– Filter IP ports 135-139, 445,
– Use an IPS and IDS
– Limit services and access to registry keys, directories
http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1.
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?

From the SANS website www.sans.org
3) Windows Services (2000, XP, 2003)
•
•
4/11/2007
Critical Vulnerabilities were discovered in these services in
2006
• Server Service (MS06-040, 035)
• iRouting and Remote Access (MS06-025)
• Exchange SMTP Service (MS06-019)
What to do?
• Disable Service if possible
• Scan for Vulnerabilities
• Block 139, 445 if possible
• PATCH
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?
 From the SANS Website www.sans.org
4) MS Office and Outlook (95/98/ME, NT, 2000, XP, 2003)
– Attack vectors are email attachments, website documents, and news
servers
– Several critical vulnerabilities in 2006
» Outlook and Exchange TNEF Remote Code(MS06-003)
» PowerPoint remote code (CVE-2006-5296 0 Day)
» Word Malformed Stack (MS06-060)
» Excel multiple remote code execution (MS06-059)
» Viso, Works, Project VBA vulnerability (MS06-047)
– Check your systems with a vulnerability scanner
– Mitigate by patching, disable IE feature of opening Office documents
– Configure Outlook with enhanced security
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?
 From the SANS Website www.sans.org
5) Windows configuration Weaknesses
– Weak passwords on accounts or network shares
» LAN Manager hashes are weak and should be replaced
with stronger more current hash techniques
» Default configuration for servers and applications can
open machines to password guessing.
» MSDE ships with SA account set with a blank password.
» Several worms take advantage of this, Voyager, Alpha
Force, SQL Spida use known weak configurations to
spread
– Enforce a strong password policy
– Prevent Windows from storing the LM hash in AD or the SAM
– Disable NULL shares and restrict anonymous access
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
• Deirdre Hurley
– www.sans.org/reading_room/whitepapers/windows/1016.php







Allowing Null Sessions
Weak Lockout Policies
Weak Account Policies
Multiple Trust relationships
Multiple Domain admin accounts
Audit logs turned off
Automatic Updates turned off
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Allowing Null Sessions
• What is a Null session?
– Net use \\10.1.1.1\ipc$ “” /user:””
• So what?
– You can download usernames, login information, lockout policy
information, etc.
• How do you disable one?
– MS Security Policy MMC snap-in
– Update registry key
– \\HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymo
us
• Tools to test
– www.securityfriday.com/tools/GetAcct.html
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Weak Lockout Policies
• If you don’t have one then brute force attacks can succeed
• If you do have one it becomes more difficult
• Suggested levels
– Enable Account Lockout Threshold at 5 attempts
– Enable Account Lockout Duration to 30 minutes
– Disable Reset Account Lockout Threshold after
• Also, enable Administrator account lockout
– Get the ADSI Edit Snap-in from Windows 2000 support tools
– http://support.microsoft.com/kb/885119/en-us
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Weak Account Policies
• Be aware, local account policies on 2000 over ride domain
account policies
• Some admins create local users to match domain users
• Forget to set the local Administrator password, sometimes
leaving it blank
• General rules for accounts and passwords
– Maximum password age 90 days
– Minimum password age 5 days
– Minimum password length of at least 7 characters, 14 for
Administrators
– Password Uniqueness – remember 13 passwords
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Multiple Trust relationships
• Limit the number of trusts in your domain
• Fewer gaps, less that has to be guarded
• Windows 2000 Tool to find out what trusts you have
– NT Resource Kit - NLTEST
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Multiple Domain admin accounts
• Avoid the mistake of having three or four (or more) Domain
accounts, or having domain privileges with “normal” users
• Use the practice of least privileges for all accounts
• Change default passwords for typical accounts
– Backup software
» ArcServe, Tivoli, BackupExec
– Test accounts
» Test, dummy,
– Lab accounts
– Administrator accounts
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Audit logs turned off
• By default audit logs are turned off
• Hackers have tools like DUMPACL and DumpSec to find out
if auditing is turned on or off
• Recommend settings for Auditing
–
–
–
–
–
–
4/11/2007
Account logon events (Success and Failures)
Logon Events
Account Management
Policy Changes
System Events
Object Access (Success and Failures)
» Files, folders, and registry keys must then be set
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%
Frequent Mistakes made in Windows Security
 Updates turned off
• SANS, Gartner Group, others report that 80-90% of attacks
are from known vulnerabilities.
• SQL Slammer, W32.Slammer in 2005 attacked a known
vulnerability that had a patch available 6 months before it
hit.
 Need to patch systems and keep them current
• Does require a patch management strategy
• Will require time
• Payoff is less downtime
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
Patching Windows
– Rod Gode, UC Davis IT Security Symposium 2005
 What to Patch and How to Patch
• Options
– Commercial
– Microsoft Provided
• Deployment and Testing
– Get some test machines
• Verification
– MBSA
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
Patching Windows
 What to Patch
• OS
• Applications
• BIOS
• Firmware
 Types of Patches from MS
• Hotfix, Update, Critical Update, Security Patch,
Update Roll-up, Service Pack
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
How to Patch
 Develop a Plan
• Hardware and Software Inventory
• Patch management Policy & Process
• Include a notification process
• Track & check patch level
• Download and test patches prior to deployment
• Deploy patches
• Audit workstations for compliance
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
How to Patch
 Tools from Microsoft (MS)
• Analysis tool from MS, Microsoft Baseline Security
Analyzer (MBSA)
• Online update services –
– Microsoft Update, Windows Update, or Download
Center
• Push / Management tools
– WSUS server, SMS server, Group Policies
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
How to Patch
 Tools from Microsoft
• Microsoft Update is different than Windows
Update
– MU updates all MS products not just windows
» Office updates, Server product patches
• WSUS is updated SUS server
– New version coming out, WSUS 3.0 now a RC
– www.microsoft.com/wsus
– Target client installs, selective client patching, uninstall
options
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
How to Patch
 Commercial Tools
• Altiris Patch Management
– www.altiris.com
• BigFix Patch Manager
– www.bigfix.com
• Ecora Patch Manager
– www.ecora.com
• LanDesk Patch Management
– www.landesk.com
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
Deployment Options
 WSUS and SMS
 Group Policy options (2000 & XP only)
• Create an Install Package (MSI file) containing the patch, see
KB article 257718 on how to do this
• Store the MSI file on a network share
• Assign the patch to groups via a group policy
• Chose the assigned publishing method
• Patch will be installed on assigned computers using the
Windows installed program
 Slipstream
• Create an image w/ service packs and patches
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
Testing and Verification
 Patch systems are not perfect, you need to test after
patches have been applied
 Tools
• Microsoft Baseline Security Analyzer 2.1 (Beta)
• Microsoft Baseline Security Analyzer 2.0.1
–
–
–
–
Get the update if you have 2.0
Used for Windows 2000 + SP3 and later
Office XP and later
Exchange 2000 and later
• Microsoft Baseline Security Analyzer 1.2.1
– Office 2000
– Exchange 5.0 and 5.5
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !?%#
Testing and Verification
 Commercial Tools
• BindView - www.bindview.com
• Computer Associates - www.ca.com
• Network Associates – www.nai.com
• Symantec – www.symantec.com
• Trend Micro – www.trendmicro.com
• Foundstone – www.foundstone.com
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
– Advanced Information Assurance Handbook, CERT
 Hardening techniques
• Limit services
• Limit applications
• Limit protocols
 Intrusion Protection techniques
• Software options to monitor file changes
• Host based firewalls
 Tools from Microsoft
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Hardening techniques
• Limit services
– Verify what services are needed
– On servers, usually these can be disable
» IIS (unless needed), Fax service, Indexing service,
Messenger, Telnet, Remote Access, QoS RSVP,
others.
– On workstations disable unless needed
» Fax service, Indexing service, messenger, Telnet,
others
» Enable firewall
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Hardening techniques
• Limit applications
– Verify what applications are needed, many can be
removed without impacting functionality
– On servers, usually you can remove the following
» Outlook Express, IIS, Media Player, Journal viewer,
Games, POSIX, OS2 subsystem
– On workstations, usually you can remove the same
– Limit what applications end users can run
– Do not allow end users to install applications
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Hardening techniques
• Limit protocols
– Verify what protocols are needed for your network
» On servers normally TCP/IP is sufficient
» On workstations normally TCP/IP is all that is
needed
» Remove IPX/SPX, NetBios,
• Limit Network devices
4/11/2007
– Bluetooth (disable unless needed)
– Wireless (disable unless needed)
– Firewire (disable unless needed)
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Firewalls
• Host based firewalls
– Server options
» Windows 2003 SP1 firewall option
– Workstation options
» XP SP2, ZoneAlarm, Tiny Personal Firewall
» 85 listed on Download.com
– IPSEC
» Encrypt traffic from host to host
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Intrusion Protection Systems
• IPS vs IDS
– Why detect when you can protect?
– Signature vs Anomoly
• IPS can be host or network based
• IPS Host options
– EEye BLINK, Prevx Home
• IDS host options
– SFC System File Check from MS (can be spoofed)
– LanGuard
• IPS Network options
– Forescout, Tipping Point, McAfee, ISS are options
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security !!
Hardening Windows
 Tools from Microsoft
– www.microsoft.com/technet/security/tools
• MBSA 2.0.1
• Microsoft Enterprise Scan Tool
• Security Assessment Tool
• IIS Lockdown Tool
– Hardens ISS
• URLScan Security Tool
– Included in IIS lockdown tool
• Cipher Security Tool
– Shredder for deleted files
• Port Reporter
– Logging tool for TCP and UDP activity on XP, 2003, 2000
• Tripwire (or OSSEC)
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security :-)
Tools and Techniques
 Shareware tools
• MetaSploit
– Framework for testing exploits
• Nessus
– Scanning tool to check for vulnerabilities
• Ethereal
– Packet sniffer
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security :-)
Tools and Techniques
 Shareware Tools
• Nessus
– DEMO
• Ethereal
– DEMO
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman
Windows Security :-)
Resources
• www.educause.edu/security
• www.microsoft.com/technet/security
• www.sans.org/reading_room/
• www.securityfriday.com
• www.cert.org
• www.hackingexposed
• www.incidents.org
4/11/2007
EDUCAUSE Security 2007 - John
Bruggeman