Active Security Common Active Security Common PracticesPractices
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
[email protected]@projectbotticelli.co.uk
www.projectbotticelli.co.ukwww.projectbotticelli.co.uk
Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.
22
ObjectivesObjectives
Using Defence-in-Depth overview main security Using Defence-in-Depth overview main security problem areasproblem areas
Review major security protection technologiesReview major security protection technologies
Briefly look at security checklists for main Briefly look at security checklists for main Microsoft serversMicrosoft servers
33
Session AgendaSession Agenda
Decomposing the Operating EnvironmentDecomposing the Operating Environment
Defending:Defending:
ApplicationsApplications
HostsHosts
NetworkNetwork
Microsoft Guidance ChecklistsMicrosoft Guidance Checklists
55
Defense in DepthDefense in Depth
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social engineeringengineering
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
66
Common Threat ClassificationCommon Threat Classification
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats againstthe network
Threats against the host
Threats against the application
77
Examples of Network ThreatsExamples of Network Threats
ThreatThreat ExamplesExamples
Information gatheringInformation gathering Port scanningPort scanning
Using trace routing to detect network topologiesUsing trace routing to detect network topologies
Using broadcast requests to enumerate subnet hostsUsing broadcast requests to enumerate subnet hosts
EavesdroppingEavesdropping Using packet sniffers to steal passwordsUsing packet sniffers to steal passwords
Denial of service (DoS)Denial of service (DoS) SYN floodsSYN floods
ICMP echo request floodsICMP echo request floods
Malformed packetsMalformed packets
SpoofingSpoofing Packets with spoofed source addressesPackets with spoofed source addresses
88
Examples of Host ThreatsExamples of Host Threats
ThreatThreat ExamplesExamples
Arbitrary code executionArbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033)Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)Directory traversal attacks (MS00-078)
File disclosureFile disclosure Malformed HTR requests (MS01-031)Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-019)Virtualized UNC share vulnerability (MS00-019)
Denial of service (DoS)Denial of service (DoS) Malformed SMTP requests (MS02-012)Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)Malformed URLs (MS01-012)
Brute-force file uploadsBrute-force file uploads
Unauthorized accessUnauthorized access Resources with insufficiently restrictive ACLsResources with insufficiently restrictive ACLs
Spoofing with stolen login credentialsSpoofing with stolen login credentials
Exploitation of open ports Exploitation of open ports and protocolsand protocols
Using NetBIOS and SMB to enumerate hostsUsing NetBIOS and SMB to enumerate hosts
Connecting remotely to SQL ServerConnecting remotely to SQL Server
99
Examples of Application ThreatsExamples of Application Threats
ThreatThreat ExamplesExamples
SQL injectionSQL injection Including a DROP TABLE command in text typed into Including a DROP TABLE command in text typed into an input fieldan input field
Cross-site scriptingCross-site scripting Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies
Hidden-field tamperingHidden-field tampering Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field
EavesdroppingEavesdropping Using a packet sniffer to steal passwords and cookies Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionsfrom traffic on unencrypted connections
Session hijackingSession hijacking Using a stolen session ID cookie to access someone Using a stolen session ID cookie to access someone else's session stateelse's session state
Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose as Using a stolen forms authentication cookie to pose as another useranother user
Information disclosureInformation disclosure Allowing client to see a stack trace when an unhandled Allowing client to see a stack trace when an unhandled exception occursexception occurs
1010
Typical Pattern of a Targeted AttackTypical Pattern of a Targeted Attack
Enter the network through SQL Injection etc.Enter the network through SQL Injection etc.
Install or use port proxy software to open Install or use port proxy software to open inbound connectionsinbound connections
Remotely control the host to mount further Remotely control the host to mount further attacks from inside until a domain controller is attacks from inside until a domain controller is accessibleaccessible
Gain control of the desired resourcesGain control of the desired resources
Erase traces of attack and remove installed Erase traces of attack and remove installed softwaresoftware
1111
What to Do when under AttackWhat to Do when under Attack
Engage your Emergency Operating ProcedureEngage your Emergency Operating Procedure
Or increase the emergency level (Or increase the emergency level (yellowyellow to to redred etc.) etc.)
Follow these steps:Follow these steps:
1.1. Identify the nature of the attackIdentify the nature of the attack
2.2. Localize the sourceLocalize the source
3.3. Protect and save the evidenceProtect and save the evidence
4.4. Find other compromised machinesFind other compromised machines
5.5. Immunise against this problem as soon as practicalImmunise against this problem as soon as practical
1212
Attack Vectors – EntrypointsAttack Vectors – Entrypoints
That is what attacker is looking forThat is what attacker is looking for
You always have themYou always have them
You must protect them as well as you canYou must protect them as well as you can
““Bottom” leaves (vectors) on the threat treeBottom” leaves (vectors) on the threat tree
Tree categories of entry:Tree categories of entry:
Social EngineeringSocial Engineering
Unpatched known vulnerabilitiesUnpatched known vulnerabilities
New, generally unknown vulnerabilitiesNew, generally unknown vulnerabilities
1616
Typical Security Levels (Microsoft)Typical Security Levels (Microsoft)
Based on typical security-usability-cost requirements, Microsoft Based on typical security-usability-cost requirements, Microsoft favours three generic security levels:favours three generic security levels:
LegacyLegacyAllowing compatibility with Windows 98, ME etc. – generally most usable Allowing compatibility with Windows 98, ME etc. – generally most usable and fairly insecureand fairly insecure
EnterpriseEnterpriseTypical needs of usability based on Windows 2000 and XP clients with Typical needs of usability based on Windows 2000 and XP clients with resilience against all popular attacksresilience against all popular attacks
Generally cost-effectiveGenerally cost-effective
High SecurityHigh SecurityAdds pro-active security against future attacks based on highly Adds pro-active security against future attacks based on highly restrictive policies at the cost of loss of use of many applications and restrictive policies at the cost of loss of use of many applications and other usability limitations and may use formal security modellingother usability limitations and may use formal security modelling
Expensive but may be worth the priceExpensive but may be worth the price
““Windows Server 2003 Security Guide” and other Microsoft security Windows Server 2003 Security Guide” and other Microsoft security guidance documents make use of those termsguidance documents make use of those terms
1818
Why Application Security MattersWhy Application Security Matters
Perimeter defenses provide limited protectionPerimeter defenses provide limited protection
Many host-based defenses are not application Many host-based defenses are not application specificspecific
Most modern attacks occur at the application Most modern attacks occur at the application layer layer
1919
Developers!Developers!
From operational perspective, the problem is From operational perspective, the problem is caused by the developers, of course caused by the developers, of course
Their applications have access to privileged Their applications have access to privileged resourcesresources
Through vulnerabilities those resources become Through vulnerabilities those resources become compromisedcompromised
Solving the problem requires an almost intimate Solving the problem requires an almost intimate relationship between development and relationship between development and operationsoperations
2020
Security BaselineSecurity Baseline
Use vendor-recommended security baselinesUse vendor-recommended security baselinesSuch as “Microsoft Exchange Server Security Guidelines” etc.Such as “Microsoft Exchange Server Security Guidelines” etc.
Define a universal security baseline for all application Define a universal security baseline for all application serversservers
Base your baseline on OS vendor recommendations, such as Base your baseline on OS vendor recommendations, such as “Windows Server 2003 Security Guide” server roles“Windows Server 2003 Security Guide” server roles
Implement them as a policyImplement them as a policyActive Directory Group Policies are an excellent way to Active Directory Group Policies are an excellent way to manage themmanage them
Use resulting policy tool to verify if policy applies to hosts Use resulting policy tool to verify if policy applies to hosts as requiredas required
Verification of compliance is an ongoing activityVerification of compliance is an ongoing activity
2121
In-House ApplicationsIn-House Applications
Most enterprises use a number of own, self-Most enterprises use a number of own, self-developer applications for a number of key developer applications for a number of key business activitiesbusiness activities
Those applications rarely meet stringent security Those applications rarely meet stringent security design requirementsdesign requirements
Developer security education is critically Developer security education is critically importantimportant
Existing applications need to be treated as “evil” Existing applications need to be treated as “evil” until proven to be safe through Threat Modellinguntil proven to be safe through Threat Modelling
2222
Treating Unproven ApplicationsTreating Unproven Applications
Until proven to be secure, treat all applications as “evil”Until proven to be secure, treat all applications as “evil”
Restrict access only to users on need-to-use basisRestrict access only to users on need-to-use basis
Restrict remote useRestrict remote use
Isolate to dedicated application serversIsolate to dedicated application servers
Restrict servers through IPSec policies to only allow Restrict servers through IPSec policies to only allow communication that applications explicitly requirecommunication that applications explicitly require
Monitor usage pattern to establish a baseline and raise alarm Monitor usage pattern to establish a baseline and raise alarm when patterns varywhen patterns vary
Enable stringent auditingEnable stringent auditing
Request a formal threat analysis if above restrictions are too Request a formal threat analysis if above restrictions are too severesevere
2323
Developer RelationsDeveloper Relations
For future in-house and outsourced For future in-house and outsourced development, formally request that all new development, formally request that all new application state their required security policy application state their required security policy and comply with baseline policiesand comply with baseline policies
Deal with exceptions very carefullyDeal with exceptions very carefully
Insist that application is tested under restrictive Insist that application is tested under restrictive security conditions before being “beta tested” or security conditions before being “beta tested” or pilotedpiloted
Establish an operational point of contact for Establish an operational point of contact for developer queriesdeveloper queries
2424
Secure DevelopmentSecure Development
.NET applications can use a number of new and .NET applications can use a number of new and powerful security techniquespowerful security techniques
Advocate that future development should use .NET Advocate that future development should use .NET Framework and its security models where possibleFramework and its security models where possible
Actual development language is not essential as long as the Actual development language is not essential as long as the framework is usedframework is used
Other middleware environments may require you to Other middleware environments may require you to integrate their security subsystems into OS, Host and integrate their security subsystems into OS, Host and Network security more manuallyNetwork security more manually
Sometimes this is a significant weaknessSometimes this is a significant weakness
2525
Recommended .NET Security Recommended .NET Security MechanismsMechanisms
.NET Code Access Security.NET Code Access Security
.NET Evidence.NET Evidence
Using digital signatures, developers create cryptographically Using digital signatures, developers create cryptographically strong IDs for their applicationsstrong IDs for their applications
You can use those “Strong Names” (SNs) for creating policies You can use those “Strong Names” (SNs) for creating policies that allow or disallow whole classes of applications from that allow or disallow whole classes of applications from runningrunning
You control associated policiesYou control associated policies
.NET Isolated Storage.NET Isolated Storage
A new feature allowing applications to create a “virtual file A new feature allowing applications to create a “virtual file system” in a manner that is more resistant to cross-application system” in a manner that is more resistant to cross-application attacksattacks
2727
OS HardeningOS Hardening
Use most up-to-date security patches and service packsUse most up-to-date security patches and service packs
Windows XP SP2Windows XP SP2
Windows Firewall with application-specific settingsWindows Firewall with application-specific settings
Attachment Execution protectionAttachment Execution protection
Pop-up BlockerPop-up Blocker
Memory Protection (only some CPUs)Memory Protection (only some CPUs)
RPC/DCOM ImprovementsRPC/DCOM Improvements
May cause compatibility problems with legacy applications, so May cause compatibility problems with legacy applications, so you may need to bypass or amend this featureyou may need to bypass or amend this feature
Apply your policy-based security baselineApply your policy-based security baseline
2828
Patch ManagementPatch Management
Approaches:Approaches:
SMS (System Management Server)SMS (System Management Server)
Do-it-yourself, time-consuming but most flexibleDo-it-yourself, time-consuming but most flexible
Software Update ServicesSoftware Update Services
You’re in control, but only for Windows OSYou’re in control, but only for Windows OS
Windows UpdateWindows Update
Little enterprise control, only Windows OS, most pervasiveLittle enterprise control, only Windows OS, most pervasive
Application-vendorApplication-vendor
Installshield Update, HP Software Update and many othersInstallshield Update, HP Software Update and many others
Use tools, such as MBSA, to discover missing patchesUse tools, such as MBSA, to discover missing patches
Microsoft Baseline Security AnalyserMicrosoft Baseline Security Analyser
2929
Virus ProtectionVirus Protection
Defence in-DepthDefence in-Depth
On clientsOn clients
On serversOn servers
On firewallsOn firewalls
Ensure full compliance, especially with signature update Ensure full compliance, especially with signature update serviceservice
Consider dual-vendor approach:Consider dual-vendor approach:
Major system on hostsMajor system on hosts
Secondary system from a different vendor on firewalls and Secondary system from a different vendor on firewalls and communication servers (email etc.)communication servers (email etc.)
3030
Attachment ExecutionAttachment Execution
#1 of Social Engineering attacks (so called #1 of Social Engineering attacks (so called “Layer 8 Vulnerabilities”)“Layer 8 Vulnerabilities”)
EducationEducation is main defence is main defence
Newer software can handle attachments in a Newer software can handle attachments in a protected, safer mannerprotected, safer manner
Outlook 2003Outlook 2003
XP SP2XP SP2
Extends to 3Extends to 3rdrd party applications party applications
Control via GPOsControl via GPOs
3131
Spyware (Malware) ProtectionSpyware (Malware) Protection
90% machines have malicious software, on average 28 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & separate spyware programs (report by Earthlink & Webroot)Webroot)
ZombiesZombies
Network bandwidth and CPU degradationNetwork bandwidth and CPU degradation
Commercial secrets leakedCommercial secrets leaked
Privacy destroyedPrivacy destroyed
Best practice:Best practice:
SpyBot Search and Destroy (www.spybot.info)SpyBot Search and Destroy (www.spybot.info)
Microsoft AntiSpyware (in beta)Microsoft AntiSpyware (in beta)
AdAwareAdAware
3232
Traffic FilteringTraffic Filtering
In addition to network firewalls, consider In addition to network firewalls, consider enabling incoming and outgoing traffic filtering enabling incoming and outgoing traffic filtering on each hoston each host
Defence in-depthDefence in-depth
Application and user-specificApplication and user-specific
Only enable protocols and ports required by Only enable protocols and ports required by applications running on the hostapplications running on the host
XP SP2 helps in this on workstationsXP SP2 helps in this on workstations
IPSec rulesets are a great tool for thisIPSec rulesets are a great tool for this
3434
Many PerimetersMany Perimeters
External – Network EdgeExternal – Network Edge
Between you and internet etc.Between you and internet etc.
DMZ – De-militarized ZoneDMZ – De-militarized Zone
Between network edge and all Between network edge and all protected resourcesprotected resources
Only minimal protection possibleOnly minimal protection possible
Default Security ZoneDefault Security Zone
The traditional LANThe traditional LAN
High Security ZoneHigh Security Zone
““Network inside network”Network inside network”
For key assetsFor key assets
Perimeter (Edge) of IsolationPerimeter (Edge) of Isolation
Assets physically not connected Assets physically not connected to networksto networks
Useful for some key assets (e.g. Useful for some key assets (e.g. master keys)master keys)
DMZDMZ
DefaultDefault
HighHigh
IsolationIsolation
Network EdgeNetwork Edge
3535
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ServerISA Server
WF/ICFWF/ICF
802.1x / 802.1x / WPAWPA
IPSecIPSec
3636
Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)
A reactive and nascent area with only few tools A reactive and nascent area with only few tools available, e.g.:available, e.g.:
Certain rule sets for Microsoft Operations Manager Certain rule sets for Microsoft Operations Manager (MOM) 2005(MOM) 2005
Monitored “honeypots”Monitored “honeypots”
ISS Internet Scanner (ISS Internet Scanner (www.iss.netwww.iss.net))
NetcatNetcat
3737
HoneypotsHoneypots
Hosts (typically servers) left with known Hosts (typically servers) left with known vulnerabilitiesvulnerabilities
Disconnected from the rest of the networkDisconnected from the rest of the network
Otherwise a major threat to the enterpriseOtherwise a major threat to the enterprise
Heavily monitoredHeavily monitored
Any unauthorised access is allowed to continue in a Any unauthorised access is allowed to continue in a controlled mannercontrolled manner
Provide a great indicator of the source of attack and Provide a great indicator of the source of attack and the abilities of the attackerthe abilities of the attacker
3838
FirewallsFirewalls
ISA Server 2004 greatly helps in coping with ISA Server 2004 greatly helps in coping with abundant (ab)use of port 80abundant (ab)use of port 80
Communication between firewalls and servers Communication between firewalls and servers they protect is a growing concernthey protect is a growing concern
Apart from filtering of traffic, consider using the Apart from filtering of traffic, consider using the firewall for:firewall for:
Virus scanningVirus scanning
Intrusion DetectionIntrusion Detection
Compliance MonitoringCompliance Monitoring
3939
Network Device Port ProtectionNetwork Device Port Protection
WirelessWireless
802.1x or full use of WPA802.1x or full use of WPA
Physical radio coverage modellingPhysical radio coverage modelling
WiredWired
Equivalent of 802.1x for wired networks is currently Equivalent of 802.1x for wired networks is currently being developedbeing developed
Protection against rogue hosts being attachedProtection against rogue hosts being attached
4040
Heterogeneous SystemsHeterogeneous Systems
In reality, most enterprises run a bewildering array of In reality, most enterprises run a bewildering array of systemssystems
Lack of homogeneity creates vulnerabilities in Lack of homogeneity creates vulnerabilities in inconsistencies:inconsistencies:
AuthenticationAuthentication
Multiple PKIsMultiple PKIs
Delegation of administrationDelegation of administration
Incompatible securityIncompatible security
Can also be a benefit: if things go wrong, less is affectedCan also be a benefit: if things go wrong, less is affected
4141
Single Sign-OnSingle Sign-On
Strive for a single user identity and password (or Strive for a single user identity and password (or smartcard) for everythingsmartcard) for everything
Multiple user accounts with same password are a major Multiple user accounts with same password are a major security hole and administrative nightmaresecurity hole and administrative nightmare
Three approaches:Three approaches:Unified authenticationUnified authentication
E.g. “all apps use Kerberos v5 and Microsoft AD”E.g. “all apps use Kerberos v5 and Microsoft AD”
E.g. “use certificates and PKI everywhere”E.g. “use certificates and PKI everywhere”
Synchronised administrationSynchronised administration
E.g. Microsoft Identity Integration ServerE.g. Microsoft Identity Integration Server
Client-basedClient-based
Smartcard that automates multiple authentications (next Smartcard that automates multiple authentications (next session)session)
4242
Unified Delegated AuthenticationUnified Delegated Authentication
Very difficult to impose unless all applications Very difficult to impose unless all applications have been written to use the same systemhave been written to use the same system
In reality only possible when one system is very In reality only possible when one system is very dominant and others sporadicdominant and others sporadic
Such as large AD and a small and limited UNIX Such as large AD and a small and limited UNIX realmrealm
For web-based applications quite possible:For web-based applications quite possible:
.NET Passport, or.NET Passport, or
WS-Federation and WS-Security in generalWS-Federation and WS-Security in general
4343
Distributed PKI AuthenticationDistributed PKI Authentication
Most open and independent solutionMost open and independent solution
Quite future-proofQuite future-proof
Multiple CAs that recognise each otherMultiple CAs that recognise each other
Cross-signingCross-signing
Import of each others’ root certificatesImport of each others’ root certificates
TLS, WS-Security, CAPI and .NET Fx APIsTLS, WS-Security, CAPI and .NET Fx APIs
AD Integration:AD Integration:
AD can provide CA autoenrollment and provisioningAD can provide CA autoenrollment and provisioning
Client certificate properties can automatically translate to AD Client certificate properties can automatically translate to AD users and roles if neededusers and roles if needed
4444
Recommendation on PKIRecommendation on PKI
3-tier structure for resilience and security:3-tier structure for resilience and security:
Root CA (offline)Root CA (offline)
OU CAs (offline)OU CAs (offline)
Issuing CAs (online)Issuing CAs (online)
More discussion on PKI problems and issues in More discussion on PKI problems and issues in later sessions todaylater sessions today
4545
Synchronised AdministrationSynchronised Administration
Microsoft Identity Integration ServerMicrosoft Identity Integration Server
Changes in one system are translated into a Changes in one system are translated into a meta-directory representation and forced on all meta-directory representation and forced on all other participating systemsother participating systems
Can integrate with HR and other systemsCan integrate with HR and other systems
Fully automated staff provisioning is possibleFully automated staff provisioning is possible
Works between AD/AD and AD/other-directoriesWorks between AD/AD and AD/other-directories
4747
Application Server Best PracticesApplication Server Best Practices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Applications accounts should be assigned with the minimal permissions
Apply defense-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
4848
Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange
Install the latest service pack
Install all applicable security patches
Run MBSA
Check relay settings
Disable or secure well-known accounts
Use a layered antivirus approach
Use a firewall
Evaluate ISA Server
Secure OWA
Implement a backup strategy
1
2
3
4
5
6
7
8
9
10
4949
Top Ten Things to Protect SQL ServerTop Ten Things to Protect SQL Server
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
5050
Security Guidelines for UsersSecurity Guidelines for Users
Choose complex passwords*
Protect passwords
Lock unattended computers*
Do not log on using a privileged account*
Run only trusted programs*
Do not open suspicious attachments*
Do not fall prey to social engineering
Review your organization’s security policies
Do not attempt to override security settings*
Report suspicious incidents
1
2
3
4
5
6
7
8
9
10*These security guidelines can be fully or partially implemented through centralized policies
5252
SummarySummary
A systematic approach, such as Defence-in-A systematic approach, such as Defence-in-Depth, helps to secure every angleDepth, helps to secure every angle
Education and ongoing research are as Education and ongoing research are as important as technologiesimportant as technologies
Follow the prescriptive security guidance from Follow the prescriptive security guidance from your suppliersyour suppliers