Sec 372

Microsoft Systems Architecture: The Secure Datacenter Design

Fred Baumhardt Luis Carvalho

Microsoft UK Microsoft Portugal

Agenda

Why we are all in a big mess

Brief intro to Trustworthy Computing

Who Hacks you –Where – and Why

Security Mitigation and CountermeasuresStrategic Defence

Defense-in-Depth StrategyPhysical Defenses

Network Defenses

Host/Device Defenses

Data Defenses

Application Defenses

The Datacenter Security Problem

Some Core SystemsSome Core Systems

Internet SystemsInternet Systems

DepartmentsDepartments

ExtranetsExtranets

Branch OfficesBranch Offices

• Systems organically grown under a “Project” contextSystems organically grown under a “Project” context• No clear best practice from vendors – plus vulnerabilitiesNo clear best practice from vendors – plus vulnerabilities• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change in solution Fear of change in solution • The sticky tape thing sort of works – so lets not touch it !The sticky tape thing sort of works – so lets not touch it !

Project 1…n SystemProject 1…n System

..

Internet Security Roots

The Protocol is not designed for Security !!!! The Internet used to require Security clearance to use – physical access was restricted – no need for protocol security

Resistance to Nuclear attack was more important than protecting traffic

Everyone on the network was trusted (and well intentioned)- they will follow port rules- Right??

TCP/IP was thus designed without security in mind – added as a bolt-on

..

Who are the enemies?Answer: *.* - don’t trust anyone

Stats vary - but majority of serious attacks originate internally

Corporate espionage or Inside knowledge

“People playing with stuff they don’t know”

Self-propagating attacks (Slammer, Nimda)

Externally…could be anyone“Script kiddies” armed with widely accessible tools- powerful – simple tools – stupid people

More serious attackers– Corporate espionage, h@ckuRs looking for greetz

HTTP is Safe and Harmless….Right?Most firewalls have closed almost all ports other than TCP80 – which is NOT HTTP

So “Developers” create Web Services, SOAP, SIP, RPC/HTTP, etc to use get around this- for them its called “next generation web services”

Hackers are also developers – they use the same behaviour to perforate security – for them its called “hacking”

..

But Its OK – I got a Firewall…

False – fake – and irrelevant sense of security to people who don’t understand itMost firewalls don’t understand the difference between ports and dataMost firewalls don’t protect internally – conventional wisdom is you don’t have toEnd to End encryption invalidates most Firewalls and IDSDid your firewall stop Nimda – Apache Worm, Sendmail Trojan, Love-Letter.vbs ?

..

Don’t panic – we’re on it

We all have an industry problem – not a vendor specific one

Strategic Defence – Trustworthy Comp.

Technology Defence – SD3+C

People and Process Defence – Microsoft Solutions (MSA- MSS – MSM – MOF )

..

Trustworthy Computing The NO BS Version

How much do you trust your computer ?Not Many people do- so we have to do any and everything until People trust it – earn respect

Cultural change– NOT marketing campaign

People – process – technology

Core TenetsSecurity Reliability

Privacy Business Integrity

TwC - Security Framework

Security commitment and disclosureSecurity commitment and disclosure Active in broad security communityActive in broad security community MS Security Response Center– 3MS Security Response Center– 3rdrdparties parties

Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code

Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege

Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to, architecture guides, MSA Process: How to, architecture guides, MSA People: Training, Culture, SBU, LeadersPeople: Training, Culture, SBU, Leaders

SDSD33 + Communications + Communications

Secure by Secure by DesignDesign

Secure by Secure by DefaultDefault

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

What MSA Addresses

MSA is a solution centred approach to security and infrastructure

MSA can help design and build secure, stable (trustworthy) infrastructures

MSA implements multi-layer – multi-vendor security – with official best practices

MSA reduces your pain in designing and achieving secure, stable solutions

What Ships?Sample BusinessSample Business

RequirementsRequirements

Planning GuidePlanning Guide((Design Choices & howDesign Choices & how

we arrived at them)we arrived at them)for sample instantiationfor sample instantiation

Build GuidesBuild Guides(How-to) for (How-to) for

sample instantiationsample instantiation

Test guides, scripts,Test guides, scripts,and test results for and test results for sample instantiationsample instantiation

SolutionSolutionOperations Guide for Operations Guide for sample instantiationsample instantiation

Since your requirements will be different, your instantiation will be different.

Architectural & ServiceArchitectural & Service “ “Blueprints”Blueprints”

(Planning Information)(Planning Information)

Keys to Architectural Defence

Segmentation of Logical Components in network – by intelligent devices

Encryption only where required – with trusted context

A pro-active/re-active management infrastructure with low latency

Strategic depth-countermeasures covering entire classes of attacks

Heuristical systems like IDS - AV

Security Risk Management Discipline and MSAAssessment

Asset assessment and valuation

Identifying security risks

Analyzing and prioritizing security risks

Security risk tracking, planning, and scheduling

Development and Implementation

Security remediation development

Security remediation testing

Capturing security knowledge

Operate

Reassessing new and changed assets and security risks

Stabilizing and deploying new or changed countermeasures

MSA Defensive Countermeasures

The full MSA is very rich – some highlights will be covered in the following areas:

Security ZonesDefense-in-Depth Strategy

Physical DefensesNetwork DefensesHost/Device DefensesData DefensesApplication Defenses

Security Zones

Tier Restrictions

Intra-zone Tier Communication Restrictions

Inter-zone Communication Restrictions

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Defense In Depth

Ass

ume

Prio

r La

yers

Fai

lIdentify and potentially mitigate risk at all layers

..

MSA Instantiation Guidance Recommendations

Building that equipment is in is access controlledRoom that equipment is in is access controlledRacks that equipment is in are access controlled NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Ass

um

e P

rio

r L

aye

rs F

ailPhysical Defenses

..

Routers only allow necessary inbound ports

Perimeter firewalls maintain stateful tables of connections inbound to permitted hosts/ports, provide reverse and application proxying

Perimeter firewalls allow outbound Internet access originating from only specified servers over specified ports

VPN Servers allow secure encrypted remote access to the data center

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Ass

um

e P

rio

r L

aye

rs F

ail

Perimeter Network Defenses

..

Architecture Can Prevent AttackInternet

Redundant RoutersRedundant Routers

Redundant FirewallsRedundant Firewalls

VLAN

VLANVLAN VLANVLAN VLANVLAN

Redundant Internal FirewallsRedundant Internal FirewallsDNS &DNS & SMTPSMTP Client and Site VPNClient and Site VPN

Infrastructure Network – Internal Active Directory

INTERNAL

Perimeter

INTERNET

BORDER

VLANVLAN VLANVLAN

Messaging Network – Exchange

VLANVLAN

Management Network – MOM, deployment

VLANVLAN

Client Network

VLANVLAN

VLANVLAN VLANVLAN

RADIUS Network Intranet Network - Web Servers

Proxy

Data Network – SQL Server Clusters

Remote datacenter

Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory

VLANVLAN

NIC teams/2 switches

NIC teams/2 switches Intrusion Intrusion DetectionDetection

..

Virtual LANs (VLANs) are used to isolate like services from each other

Switch access control lists (ACLs) are used to control traffic flow between VLANs at Layer 3

Layer 2 VLANs are used where no routing is desired

Internal firewalls control port level access to internal VLANs

Multi-homed DMZ servers…these servers are the only physical connection between the perimeter and internal firewalls

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Ass

um

e P

rio

r L

aye

rs F

ail

Internal Network Defenses

EAP certificate-based authentication

L2TP and PPTP used (PPTP to support older clients)

In MSA 2.0 Windows Server 2003’s NAT-T is utilized for IPSec

EAP certificate-based authentication used

VPN Network Defenses

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

All server except firewall are members of Windows 2000 and Windows Server 2003 Active Directory for centralized security administration and management

Windows 2000 and Windows Server 2003 Security Templates

DNS security

Secured installation of IIS 5 Minimal installation of IIS 6

Host Defenses

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Provides centralized management of servers

Organizational Units (OUs) are created for each server type (i.e., Web servers, SMTP servers, DNS servers, etc.)

Security templates are created for each server type, and imported to GPOs, which are applied to the OUs

IDC 1.5 uses a single AD forest/single AD domain

EDC 1.5 uses a multi-forest AD with no trusts

MSA 2.0 uses a multi-forest AD with a one way cross-forest trust (limited)

Active Directory

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

..

IDC 1.5 ships with security templates that are modified versions of the default Windows 2000 security templates

Primarily self-containedEDC 1.5 ships with modified security templates from the IDC and the Windows 2000 Security Operations Guide

Applied hierarchically, locked down higher in the OU structure, necessary back-offs at lower levels in the structure

MSA 2.0 Ships with modified versions of the Windows Server 2003 Security Guide templates

Applied hierarchically, locked down higher in the OU structure, necessary back-offs at lower levels in the structure

Active Directory Security Templates

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

..

Domain And DC Hardening

Domain and Domain Controller Policies

Domain PolicyPassword and Account Lockout

Audit Policy

Domain Controller Policy

Server Specific OU Lockdown Policies

System Services (Unnecessary Services Are Disabled)

Further Harden TCP/IP Parameters

Implement IPSec Packet Filters

Security OptionsRestrict Anonymous, where possible

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

..

Other Server Hardening

Stay Current on Service Packs and Hotfixes

Hotfixes are a fact of life

Disable NetBIOS on Servers in the DMZ

If using Terminal Services on DMZ servers, secure TS to only the internal interface (if multi-homed)

Secure Local and Domain Accounts

Secure the File System, use NTFS permissions

Remove Default Administrator File Share Access

Secure the Administrator Accounts

Don’t configure Windows Server 2003 Active Directory domains for pre-Windows 2000 compatible access unless necessary

Some applications need it

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

DNS Security

Assessing DNS needsPerimeter server AD DNS lookupsPerimeter server public DNS lookupsInternal server AD DNS lookupsInternal server public DNS lookupsExternal employee/customer lookup of company’s public serversInternal employee lookup of public servers (EDC)

Separate internal AD, perimeter AD, and public DNS zonesSeparate “resolver” and “advertiser” serversPort access controlled for inbound/outbound DNS serversDNS “listens” only on appropriate interfaceZone transfers and forwarders are tightly controlled

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

IIS Hardening

Disable Directory Browsing

Set Appropriate ACLs on Virtual Directories

No sample applications installed

ACL the IIS Log Files and Configure Auditing

Only .htm and .asp processing configured

Disable Parent Paths

Disable system error messages on production servers

URLScan Tool configured

Some of this is by Some of this is by default in IIS 6.0default in IIS 6.0

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Data Defenses - SQLAuthentication – Windows Integrated – Avoid Mixed

Data encryption for mixedusing SSL

Strong password for and limited use of SA account

Validate input at DB – call stored procs not queries

Connection Pooling – perf vs security

SQL should not be visible to normal user VLANs

..

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Data Defenses – Storage

SAN security guidelines

NTFS and Share Permissions

SMB Signing

Avoid usage of LanMan and legacy auth protocols

Separate network segments for internal and perimeter servers

Avoid storing data on external VLANs if possible

Ass

um

e P

rio

r L

aye

rs F

ail

NETWORK DEFENSE

HOST/DEVICE DEFENSE

DATA DEFENSE

APPLICATION DEFENSE

PHYSICAL DEFENSES

Application Defenses

“Application Security Best Practices at Microsoft”www.microsoft.com/technet/itsolutions/msit/security/appsecbp.asp

“Securing Windows 2000 Server” Microsoft Solution for Securing Windows 2000 Server

www.microsoft.com/technet/security/prodtech/windows/secwin2k/

The Security section of the Microsoft Developer Network (MSDN) Web site at the following URL

msdn.microsoft.com/nhp/Default.asp?contentid=28001191&frame=true

“Writing Secure Code”, Michael Howard and David LeBlanc, ISBN 0-7356-1722-8, April 2002, from MSPress; For more information see

www.microsoft.com/mspress/books/5957.asp

“Designing Secure Web-Based Applications for Microsoft Windows 2000” from MSPress by Michael Howard, ISBN 0-7356-0995-0, July 2000, from MSPress; For more information see

www.microsoft.com/mspress/books/4293.asp

“Microsoft Patterns and Practices: Reference Building Blocks” at the following URL

msdn.microsoft.com/practices/type/Blocks/default.asp

Resources

MSA Enterprise DataCenter 1.5

MSA Internet DataCenter 1.5

MSA 2.0 Technical Preview

Available today from http://www.microsoft.com/systemsarchitecture

We welcome your feedback, E-Mail your comments to msafdbk@microsoft.com

Available today from MSS:Available today from MSS:Windows Server 2003 Security Guide atWindows Server 2003 Security Guide at http://microsoft.com/downloads/details.aspx?FamilyId=http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89 B655521EA6C7B4DB&displaylang=en8A2643C1-0685-4D89 B655521EA6C7B4DB&displaylang=en

Ask The ExpertsAsk The ExpertsGet Your Questions AnsweredGet Your Questions Answered

Luis and Fred will be available in the ATE area after this session – come talk to us

..

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.