Leveraging your Active Directory Leveraging your Active Directory (AD) for Perimeter Defense – (AD) for Perimeter Defense – Inside and Out (SEC205)Inside and Out (SEC205)

Richard WarrenRichard Warren

Internet and Security Training SpecialistInternet and Security Training Specialist

SEC205SEC205

AgendaAgenda

Security Issues TodaySecurity Issues Today

The “Inside” – Good or Bad?The “Inside” – Good or Bad?

Why Active Directory?Why Active Directory?

Internal Access with IntegrityInternal Access with Integrity

The Who and How of External AccessThe Who and How of External Access

When a Web Proxy is not EnoughWhen a Web Proxy is not Enough

At RiskAt Risk

14B devices on the Internet by 2010 35M remote users by 2005 65% increase in dynamic Web sites From 2000 to 2003 reported incidents rose from

21,756 to 137,529 Nearly 80 percent of 445 respondents surveyed said

the Internet has been a frequent point of attack, up from 57 percent just four years ago

90% detected security breaches 85% detected computer viruses 95% of all breaches avoidable with

an alternative configuration Approximately 70 percent of all Web attacks occur at

the application layer

The SoftThe SoftUnderbellyUnderbelly

Security Issues TodaySecurity Issues Today

1 Source: Forrester Research2 Source: Information Week, 26 November 2001

3 Source: Netcraft summary4 Source: CERT, 2005

5 Source: CSI/FBI Computer Crime and Security Survey6 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002

7 Source: CERT, 20028 Source: Gartner Group

11

22

33

44

55

66

66

77

88

The “Inside” – Good or Bad?The “Inside” – Good or Bad?

Attacks from Insiders!Attacks from Insiders!

Who can you trust?Who can you trust?

Large % of threats occur from the insideLarge % of threats occur from the inside

Users surfing inappropriate/malicious web sitesUsers surfing inappropriate/malicious web sites

Users not logging into the AD Domain (Security Policy)Users not logging into the AD Domain (Security Policy)

Users searching for web servers with confidential informationUsers searching for web servers with confidential information

Disgruntled Employees – Contractors – Office VisitorsDisgruntled Employees – Contractors – Office Visitors

Internet Access for your UsersInternet Access for your Users

Enable users to Enable users to communicate communicate across the across the InternetInternet

Enable users to Enable users to communicate communicate across the across the InternetInternet

• Use of instant messaging over the Internet may reveal Use of instant messaging over the Internet may reveal confidential informationconfidential information

• Users’ access to personal e-mail may bypass corproate e-Users’ access to personal e-mail may bypass corproate e-mail protectionmail protection

• Use of instant messaging over the Internet may reveal Use of instant messaging over the Internet may reveal confidential informationconfidential information

• Users’ access to personal e-mail may bypass corproate e-Users’ access to personal e-mail may bypass corproate e-mail protectionmail protection

Enable users to Enable users to access legitimate access legitimate information on information on the Internetthe Internet

Enable users to Enable users to access legitimate access legitimate information on information on the Internetthe Internet

• Users may inadvertently access insecure contentsUsers may inadvertently access insecure contents

• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity

• Users may access inappropriate Web sites and contentUsers may access inappropriate Web sites and content

• Peer-to-peer applications and illegal downloads may expose Peer-to-peer applications and illegal downloads may expose company to lawsuitscompany to lawsuits

• Users may inadvertently access insecure contentsUsers may inadvertently access insecure contents

• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity

• Users may access inappropriate Web sites and contentUsers may access inappropriate Web sites and content

• Peer-to-peer applications and illegal downloads may expose Peer-to-peer applications and illegal downloads may expose company to lawsuitscompany to lawsuits

Business Need: Risk to Organization:

Internet Access for your UsersInternet Access for your Users

Control and Control and monitor users’ monitor users’ Internet accessInternet access

Control and Control and monitor users’ monitor users’ Internet accessInternet access

• Limited application layer filtering prevents meaningful Limited application layer filtering prevents meaningful access controlaccess control

• Logs that are difficult to view may prevent administrators Logs that are difficult to view may prevent administrators from discovering problemsfrom discovering problems

• Lacking reporting capabilities prevent management from Lacking reporting capabilities prevent management from evaluating use of Internet by employeesevaluating use of Internet by employees

• Limited application layer filtering prevents meaningful Limited application layer filtering prevents meaningful access controlaccess control

• Logs that are difficult to view may prevent administrators Logs that are difficult to view may prevent administrators from discovering problemsfrom discovering problems

• Lacking reporting capabilities prevent management from Lacking reporting capabilities prevent management from evaluating use of Internet by employeesevaluating use of Internet by employees

Business Need: Risk to Organization:

Why Active DirectoryWhy Active Directory

Why Active Directory?Why Active Directory?

Plays a key role in Plays a key role in Distributed SecurityDistributed Security

Required for domain logon (authentication)Required for domain logon (authentication)

Grants access to resources (authorization)Grants access to resources (authorization)

Plays a key role in Plays a key role in Identity ManagementIdentity Management

Stores and protects identities Stores and protects identities

Why Active DirectoryWhy Active Directory

Plays a key role in Plays a key role in Windows manageabilityWindows manageability

Facilitates management of network resourcesFacilitates management of network resources

Facilitates delegation of administrative authorityFacilitates delegation of administrative authority

Enables centralized policy controlEnables centralized policy control

Plays a key role in enabling other technologiesPlays a key role in enabling other technologies

RRAS, Microsoft Certificate Services, Microsoft Exchange, RRAS, Microsoft Certificate Services, Microsoft Exchange, etc.etc.

Tremendously powerful resource – Use and Enforce It!!!Tremendously powerful resource – Use and Enforce It!!!

Web Access with IntegrityWeb Access with IntegrityInternal and ExternalInternal and External

Web Access with IntegrityWeb Access with Integrity

Application Layer FirewallsApplication Layer Firewalls

Inspect Intranet and Incoming External TrafficInspect Intranet and Incoming External Traffic

Monitor & Log Intranet Access by Monitor & Log Intranet Access by UsernameUsername!!

Web Access with IntegrityWeb Access with Integrity

Application Layer Firewalls (ISA Server 2004)Application Layer Firewalls (ISA Server 2004)

Most firewalls are external!Most firewalls are external!

What about the inside threat?What about the inside threat?

Protect Intranet Servers with Intelligent FirewallsProtect Intranet Servers with Intelligent Firewalls

Protect Web Servers in DMZ with application protectionProtect Web Servers in DMZ with application protection

Not only who but Not only who but what what is being sent to my serversis being sent to my servers

Use Application layer inspection for malicious trafficUse Application layer inspection for malicious traffic

Application Layer Application Layer ContentContent

????????????????????????????????????????????

A Traditional Firewall’s ViewA Traditional Firewall’s ViewOf A PacketOf A Packet

Only packet headers are inspectedOnly packet headers are inspected

Application layer content appears as “black box”Application layer content appears as “black box”IP HeaderIP Header

Source Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeaderSequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on port numbersForwarding decisions based on port numbers

Legitimate traffic and application layer attacks use identical portsLegitimate traffic and application layer attacks use identical ports

Internet Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic

Corporate Network

ISA Server’s View Of A PacketISA Server’s View Of A Packet

Packet headers and application content are inspectedPacket headers and application content are inspected

Application Layer ContentApplication Layer Content<html><head><meta http-

quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

IP HeaderIP Header

Source Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeader

Sequence NumberSource Port,

Destination Port,Checksum

Forwarding decisions based on contentForwarding decisions based on content

Only legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed

Internet Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic

Corporate Network

Integrity = Application Layer SecurityIntegrity = Application Layer Security

Most of today’s attacks are directed against applicationsMost of today’s attacks are directed against applications

Examples: Mail clients (worms, Trojan horse attacks), Web Examples: Mail clients (worms, Trojan horse attacks), Web browsers (malicious Java applets)browsers (malicious Java applets)

Applications encapsulate traffic in HTTP trafficApplications encapsulate traffic in HTTP traffic

Examples: Peer-to-peer, instant messagingExamples: Peer-to-peer, instant messaging

Traditional firewalls cannot determine what traffic is sent or Traditional firewalls cannot determine what traffic is sent or receivedreceived

Dynamic port assignments require too many incoming Dynamic port assignments require too many incoming ports to be openedports to be opened

Examples: FTP, RPCExamples: FTP, RPC

Web Access with IntegrityWeb Access with Integrity

Stop unauthenticated access to your Intranet PortalsStop unauthenticated access to your Intranet Portals

Web Publishing Intranet Portal with ISA Server 2004Web Publishing Intranet Portal with ISA Server 2004

Force Authentication via Active DirectoryForce Authentication via Active Directory

Keep out anonymous connections without load on Web ServerKeep out anonymous connections without load on Web Server

Enforce users logon to Domain Enforce users logon to Domain

Ensure group policy and other security measures are enforcedEnsure group policy and other security measures are enforced

Web Access with IntegrityWeb Access with Integrity

Incoming Access – Connect to Secure Point of AccessIncoming Access – Connect to Secure Point of Access

Protect Web Servers in DMZ or Internal NetworkProtect Web Servers in DMZ or Internal Network

ISA Server 2004 - Web Publish (Reverse Proxy)ISA Server 2004 - Web Publish (Reverse Proxy)

Inspect Incoming Traffic via Web FiltersInspect Incoming Traffic via Web Filters

HTTP InspectionHTTP Inspection

Monitor for malicious web trafficMonitor for malicious web traffic

Web Access with IntegrityWeb Access with Integrity

Protect Exchange (Messaging) ServersProtect Exchange (Messaging) Servers

Outlook Web AccessOutlook Web Access

Outlook SSL Connections – Outlook 2003/Exchange 2003Outlook SSL Connections – Outlook 2003/Exchange 2003

Outlook Mobile Access/ Active SyncOutlook Mobile Access/ Active Sync

Full RPC Filtering for Exchange Only traffic to Exchange Full RPC Filtering for Exchange Only traffic to Exchange ServersServers

Web Server Attacks

Password Guessing

Web Access with IntegrityWeb Access with Integrity

AuthenticationAuthentication

Unauthorized requests are blocked before they reach the Exchange serverUnauthorized requests are blocked before they reach the Exchange server

Enforces all OWA authentication methods at the firewallEnforces all OWA authentication methods at the firewall

Provide forms-based authentication at the firewall before reaching OWAProvide forms-based authentication at the firewall before reaching OWA

InspectionInspection

Invalid HTTP requests or requests for non-OWA content are blockedInvalid HTTP requests or requests for non-OWA content are blocked

Inspection of SSL traffic before it reaches Exchange server*Inspection of SSL traffic before it reaches Exchange server*

ConfidentialityConfidentiality

Ensures encryption of traffic over the Internet at the firewallEnsures encryption of traffic over the Internet at the firewall

Can prevent the downloading of attachments to client computers separate Can prevent the downloading of attachments to client computers separate from intranet usersfrom intranet users

OWA Traffic

SSL Tunnel

InspectionAuthentication

Internet

Exchange Server OWA Front End

*Note: Full ISA inspection is not available if GZip compression is used by OWA.*Note: Full ISA inspection is not available if GZip compression is used by OWA.

Authentication FrameworkAuthentication Framework

Multi-source authenticationMulti-source authentication

Firewall client authentication (Web Proxy)Firewall client authentication (Web Proxy)

TransparentTransparent user authentication user authentication

Application transparent, Protocol independentApplication transparent, Protocol independent

Kerberos/NTLMKerberos/NTLM

Web proxy authenticationWeb proxy authentication

Proxy auth, Reverse proxy auth, Pass through auth, SSL bridgingProxy auth, Reverse proxy auth, Pass through auth, SSL bridging

Basic, digest, NTLM, Kerberos, CertificatesBasic, digest, NTLM, Kerberos, Certificates

RADIUS authentication, SecurID authenticationRADIUS authentication, SecurID authentication

CRL supportCRL support

Extensible authentication/authorization frameworkExtensible authentication/authorization framework

Web Publishing with ISA ServerWeb Publishing with ISA Server

Using Active Directory Integrated Web AccessUsing Active Directory Integrated Web Access

DemoDemo

The Who and How of External AccessThe Who and How of External Access

Who? – External AccessWho? – External Access

Who?Who?

Who is getting out of your network?Who is getting out of your network?

Vendors – Visitors – ConsultantsVendors – Visitors – Consultants

And what are they doing?And what are they doing?

Peer to Peer File Sharing – Instant Messaging File TransferPeer to Peer File Sharing – Instant Messaging File Transfer

How? – External AccessHow? – External Access

Leverage Active Directory:Leverage Active Directory:

Integrated Web Proxy with ISA Server 2004Integrated Web Proxy with ISA Server 2004

Ensure only authorized users have external accessEnsure only authorized users have external access

Base external access via AD groupsBase external access via AD groups

Log access based on Log access based on USER NAMEUSER NAME and not IP Address and not IP Address

Know your exit points to external networksKnow your exit points to external networks

How many DMZ’s? Departmental external access?How many DMZ’s? Departmental external access?

Force all access through secure Web ProxiesForce all access through secure Web Proxies

How? – External AccessHow? – External Access

Provides superior application-layer protection for Provides superior application-layer protection for corporate clientscorporate clients

Enforces corporate policiesEnforces corporate policiesLimits access to Limits access to allowed sitesallowed sites

Limits access to Limits access to allowed protocolsallowed protocols

Provides for user Provides for user and group based and group based rulesrules

Lets rules apply Lets rules apply based on schedulebased on schedule

Partners provide easy extensibilityPartners provide easy extensibilityVirus checkingVirus checking

Web access blocking based on database of problematic sitesWeb access blocking based on database of problematic sites

How? – External AccessHow? – External Access

HTTP FilteringHTTP Filtering

Flexible control over allowed contentFlexible control over allowed content

Web Proxy Access with ISA ServerWeb Proxy Access with ISA Server

Using Active Directory Integrated Web ProxyUsing Active Directory Integrated Web Proxy

DemoDemo

When a Web Proxy is Not Enough?When a Web Proxy is Not Enough?

Web Proxy – Intelligent?Web Proxy – Intelligent?

Port 80 Outbound – and away we go!Port 80 Outbound – and away we go!

Peer to Peer Applications search for thisPeer to Peer Applications search for this

Instant Messaging uses Port 80 HttpInstant Messaging uses Port 80 Http

How do you stop it?How do you stop it?

Web & Application FiltersWeb & Application Filters

Search for Signatures of these applications Search for Signatures of these applications

ISA Server has built-in web/application filtersISA Server has built-in web/application filters

Block the apps even in HTTP trafficBlock the apps even in HTTP traffic

Prevent tunneling of other protocols in httpPrevent tunneling of other protocols in http

When a Web Proxy is Not EnoughWhen a Web Proxy is Not Enough

Inspect HTTP Traffic with ISA 2004 Inspect HTTP Traffic with ISA 2004

Don’t just cacheDon’t just cache

Inspect inbound web trafficInspect inbound web traffic

Secure what leaves your networkSecure what leaves your network

Know what leaves and who sent it!!Know what leaves and who sent it!!

Force all Users to logon to the Domain for External AccessForce all Users to logon to the Domain for External Access

Log users by nameLog users by name

Leveraging Active Directory for Leveraging Active Directory for Perimeter DefensePerimeter Defense

Data and Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses Perimeter Defense Protect Intranet Servers Lock Down Web Access Active Directory Integration

Application Layer firewalls are becoming increasingly more important HTTP Tunneling SSL encryption Anonymous connections

Community ResourcesCommunity Resources

Community ResourcesCommunity Resources

http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)Most Valuable Professional (MVP)

http://www.microsoft.com/communities/http://www.microsoft.com/communities/mvpmvp

NewsgroupsNewsgroups

Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide

http://communities2.microsoft.com/communities/newsgroups/en-us/defhttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspxault.aspx

User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers

http://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx

Microsoft Learning ResourcesMicrosoft Learning Resources

Come and talk to Microsoft Learning to find out more about developing your skills, you can kind us in the ‘Ask the Experts’ area

Special offers on Microsoft Certification from Microsoft Learning

Click here to access free Microsoft Learning Assessments http://www.microsoft.com/learning/assessment/ind/default.asp

and FREE elearning for Microsoft Visual Studio 2005 and Microsoft SQL Server 2005 with free Assessments and E-Learninghttp://www.microsoft.com/learning/mcp/

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.