sec313 securing enterprise platforms and perimeters aka – building a perimeter platform and...
Post on 19-Dec-2015
229 views
TRANSCRIPT
SEC313SEC313Securing Enterprise Platforms And Securing Enterprise Platforms And PerimetersPerimetersAKA – Building a Perimeter Platform and AKA – Building a Perimeter Platform and Infrastructure (with security)Infrastructure (with security)
Ben SmithBen Smith
Senior Security StrategistSenior Security Strategist
Microsoft CorporationMicrosoft Corporation
AgendaAgendaUnderstanding the Goals of Network Understanding the Goals of Network Perimeter SecurityPerimeter Security
Defining the Basic Rules of Engagement Defining the Basic Rules of Engagement for Securityfor Security
Building a Perimeter Platform for Building a Perimeter Platform for Security using Microsoft technologiesSecurity using Microsoft technologies
Application SecurityApplication Security
Host SecurityHost Security
Closing NotesClosing Notes
Understanding the Goals Security goal #1:
Keep information away from the attacker
Security goal #2Allow the right users access to the right information
Security goal #3Keep a record of #1 and #2
Security goal #4Make sure that security is user/administrator friendly
Security goal #5Don’t let goals previous goals cost too much
It can be done!and it can be done without a firewall!and it can be done without a firewall!
Open Hack 4 - eWeek Magazine's annual contestOpen Hack 4 - eWeek Magazine's annual contest
This year—This year—Application-level security focusApplication-level security focus
Goal: modify information in databaseGoal: modify information in database
82,500 attempted attacks over 2 ½ weeks82,500 attempted attacks over 2 ½ weeks
Microsoft entry Microsoft entry wasn’t compromisedwasn’t compromisedLesson learned: Reasonably skilled Lesson learned: Reasonably skilled administrators administrators and and developers can build developers can build Windows environments that are secure and Windows environments that are secure and resilient against attackresilient against attack
10 Basic Rules of Perimeter 10 Basic Rules of Perimeter
SecuritySecurity 1.1. Minimize the attack surfaceMinimize the attack surface
2.2. Least Privilege (deny by default)Least Privilege (deny by default)
3.3. Defense-in-DepthDefense-in-Depth
4.4. CompartmentalizationCompartmentalization
5.5. Carry a big stick (You have to tell people NO!)Carry a big stick (You have to tell people NO!)
6.6. Understand what your perimeter really is!Understand what your perimeter really is!
7.7. Know you cannot defend against other Know you cannot defend against other Administrators or poor physical securityAdministrators or poor physical security
8.8. Assess your security (the attacker will be!)Assess your security (the attacker will be!)
9.9. If you are not up-to-date, you are not secureIf you are not up-to-date, you are not secure
10.10. Avoid AssumptionsAvoid Assumptions
Application SecurityApplication Security
Ben’s rule of perimeter application security:
If the application has security holes, the best you can hope for is to slow the hackers down or limit the damage the attacker can do
You must work with your developers!You must work with your developers!You must work with your developers!You must work with your developers!
Key ComponentsKey Components
Input Validation, Input Validation, Input Input Validation, Input Validation, Input ValidationValidation
AuthenticationAuthentication
Impersonation/DelegationImpersonation/Delegation
Data Security Data Security
Coding PracticesCoding Practices
Code ReviewCode Review
Penetration TestingPenetration Testing
For every application in/on the For every application in/on the perimeter you must answer:perimeter you must answer:
1. What data is being access or stored locally2. What data is being transmitted3. Define how the application communicates to
computers4. How is authentication handled5. What security measures the application is
providing6. What services the application depends on7. How the application will be managed8. Who will be managing the application9. How can operations be audited10. What the potential threats and vulnerabilities of the
application are
Infrastructure/Host SecurityInfrastructure/Host Security
Perimeter Architecture ExamplesBaseline securityTCP/IP SecuritySoftware Restriction PoliciesIIS 6.0IPSecManagement Networks
Perimeter ArchitecturePerimeter ArchitectureSmall environmentSmall environment
InternetInternet
Web ServerWeb Server
ISA Server ISA Server with inbound with inbound VPNVPN
Active DirectoryActive Directory
LAN ClientsLAN Clients
Traffic Allowed in:Traffic Allowed in: Web - TCP 80/443 via web Web - TCP 80/443 via web publishingpublishing DNS - TCP/UDP 53DNS - TCP/UDP 53 PPTP - IP 47, UDP 1723 to the ISA PPTP - IP 47, UDP 1723 to the ISA ServerServer
Test Web Test Web ServerServer
Traffic Allowed out:Traffic Allowed out: DNS – TCP/UDP 53DNS – TCP/UDP 53
Web/FTP using proxy servicesWeb/FTP using proxy services
Perimeter Architecture Perimeter Architecture Large environmentLarge environment
Terminal Terminal ServerServer
RRAS Server RRAS Server with IAS as with IAS as RADUS ProxyRADUS Proxy
Active Directory Active Directory with IAS as with IAS as RADIUS ServerRADIUS Server
Web Servers/Server Web Servers/Server FarmsFarms
SQL SQL Database/ClusterDatabase/ClusterDMZ AD ForestDMZ AD Forest
InternetInternet
ISA ISA ServerServer
ISA ISA ServerServer
Perimeter Perimeter NetworkNetwork
Management Management NetworkNetwork
Limited Access Limited Access NetworkNetwork
Active DirectoryActive Directory
ISA ISA ServerServer
Corporate Corporate NetworkNetwork
Perimeter Security ChallengesMost security challenges related to the expansion from small to large
Network-level complexityMore router ACLSComplex firewall rulesMore IPSec policiesMore multi-connected boxes
People-level complexityMore administratorsDistributed data to secureMore patch management issues
Host-level complexityMore systems and application to monitorAuthentication issues to manageContent propagation and management
2 Ways to Address The Complexity2 Ways to Address The Complexity
Design the scalability of security from the startDesign the scalability of security from the startFollow best practices for environments more complexity and with Follow best practices for environments more complexity and with higher security requirementshigher security requirements
Create a security budget for expansionCreate a security budget for expansion
Assess the security of your network from the outsideAssess the security of your network from the outside
Think about compartmentalization!Think about compartmentalization!
Build reusable security components Build reusable security components on the hostson the hostsBaseline security policyBaseline security policy
Security TemplatesSecurity Templates
Server specific security policyServer specific security policySecurity Templates, SRPs, Security ToolsSecurity Templates, SRPs, Security Tools
Host-based IP securityHost-based IP securityTCP/IP Security, IPSec policiesTCP/IP Security, IPSec policies
Management securityManagement securityVPN, Network Access Quarantine, RADIUS, Multifactor authVPN, Network Access Quarantine, RADIUS, Multifactor auth
Baseline SecurityStarts and ends with credential managementStarts and ends with credential management
Tips:Tips:1.1. Use multi-factor authentication when possibleUse multi-factor authentication when possible
2.2. Educate users and administrators on creating passwords Educate users and administrators on creating passwords
It is often easier for users to remember 20 to 30 than 8 It is often easier for users to remember 20 to 30 than 8 character passwordscharacter passwords
3.3. Enforce password complexity systematicallyEnforce password complexity systematically
4.4. Don’t reuse passwords or share accountsDon’t reuse passwords or share accounts
5.5. Avoid account lockout policies (aka the “increase your support Avoid account lockout policies (aka the “increase your support costs feature”)costs feature”)
There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!
There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!
Password Reuse Issue
1.1. Server 1 gets hackedServer 1 gets hacked2.2. Attacker extracts LSA Attacker extracts LSA
SecretsSecrets3.3. Obtains password to Obtains password to
Service accountsService accounts
1.1. Server 1 gets hackedServer 1 gets hacked2.2. Attacker extracts LSA Attacker extracts LSA
SecretsSecrets3.3. Obtains password to Obtains password to
Service accountsService accounts
Server 1Server 1
Account:BackupAccount1Password:VeryHardToGuessPassword
Server 2Server 2
Server 3Server 3
4.4. Attacked attempts to Attacked attempts to use server1 password use server1 password on Server 1..ServerNon Server 1..ServerN
5.5. Hacks Server 2 and Hacks Server 2 and Server 3 Server 3
4.4. Attacked attempts to Attacked attempts to use server1 password use server1 password on Server 1..ServerNon Server 1..ServerN
5.5. Hacks Server 2 and Hacks Server 2 and Server 3 Server 3
Account:MailServiceAccount1Password:VeryHardToGuessPassword
Account:AdministratorPassword:VeryHardToGuessPassword
AttackerAttacker
Baseline Security OptionsBaseline Security Options
Start with the Windows Hardening GuidesStart with the Windows Hardening Guides
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
Securing Windows 2000 Server
http://go.microsoft.com/fwlink/?LinkId=14837
Add settings for your requirementsAdd settings for your requirements
Always test the settings in your Always test the settings in your environment!environment!
Highlights from the Baseline Guide
Configures Audit PolicyConfigures Audit Policy
Removes LMPassword HashesRemoves LMPassword Hashes
Raises NTLM CompatibilityRaises NTLM Compatibility
Restricts anonymous enumerationRestricts anonymous enumeration
Disables POSIX SubsystemDisables POSIX Subsystem
Further restricts ServicesFurther restricts Services
TCP/IP Security on the host
HKLM\System\CurrentControlSet\Services\Tcpip\ParametersHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0
EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0
DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2
DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2
SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP
SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP
Lessons learned:Lessons learned:
Denial of Service attack Denial of Service attack on a major web site on a major web site
case studycase study
Software Restriction PoliciesSoftware Restriction PoliciesUsed to control applications running on a computer
Path RulePath RulePath RulePath Rule
Hash RuleHash RuleHash RuleHash Rule
Certificate RuleCertificate RuleCertificate RuleCertificate Rule
Internet Zone RuleInternet Zone RuleInternet Zone RuleInternet Zone Rule
Two modes: • Disallowed – applications
specifically allowed not to run• Unrestricted – applications
explicitly allowed to run
Software Restriction Policies
Control executable code:
.ADE .ADP .BAS .BAT .CHM .CMD .CPL .CRT .EXE .HLP .HTA .INF
.INS .ISP .JS .JSE .LNK .MDB .MDE .MSC .MSI .MSP .MST .PCD
.PIF .REG .SCR .SCT .SHS .URL .VB .VBE .VBS .WSC .WSF .WSH
Configuring IIS SecurityConfiguring IIS Security
IIS 5.0IIS 5.0Run IIS LockdownRun IIS Lockdown
Configure URLScanConfigure URLScan
IIS 6.0IIS 6.0Installed in lockdown mode by defaultInstalled in lockdown mode by default
Do not install what you do not need!Do not install what you do not need!
Configure URLScan VerbsConfigure URLScan Verbs
Using IPSec for Additional Host-Using IPSec for Additional Host-Based SecurityBased Security
Three usage scenarios:
Block network traffic
Provide authentication and integrity validation
Provide secure, encrypted communication channels
IPSec ExampleIPSec Example
InternetInternet
Web ServerWeb ServerFirewallFirewallSQL ServerSQL Server
IPSec Policy on Web ServerIPSec Policy on Web Server PermitPermit
Any -> WS Port TCP 80Any -> WS Port TCP 80 Any -> WS Port TCP 443Any -> WS Port TCP 443
Require SecurityRequire Security WS Port 1433 <> SQL Port 1433WS Port 1433 <> SQL Port 1433 WS Port 3389 <> TS Port ANYWS Port 3389 <> TS Port ANY
BlockBlock Any <> AnyAny <> Any
IPSec Policy on Web ServerIPSec Policy on Web Server PermitPermit
Any -> WS Port TCP 80Any -> WS Port TCP 80 Any -> WS Port TCP 443Any -> WS Port TCP 443
Require SecurityRequire Security WS Port 1433 <> SQL Port 1433WS Port 1433 <> SQL Port 1433 WS Port 3389 <> TS Port ANYWS Port 3389 <> TS Port ANY
BlockBlock Any <> AnyAny <> Any
IPSec Policy on SQL ServerIPSec Policy on SQL Server Require SecurityRequire Security
SQL Port 1433 <> WS Port SQL Port 1433 <> WS Port 14331433
SQL Port 3389 <> TS Port ANYSQL Port 3389 <> TS Port ANY BlockBlock
Any <> AnyAny <> Any
IPSec Policy on SQL ServerIPSec Policy on SQL Server Require SecurityRequire Security
SQL Port 1433 <> WS Port SQL Port 1433 <> WS Port 14331433
SQL Port 3389 <> TS Port ANYSQL Port 3389 <> TS Port ANY BlockBlock
Any <> AnyAny <> Any
TS HostTS Host
IPSec Policy on TS HostIPSec Policy on TS Host Require SecurityRequire Security
ANY <> TS Port 3389ANY <> TS Port 3389 TS Port ANY <> SQL Port 3389TS Port ANY <> SQL Port 3389 TS Port ANY <> WS Port 3389TS Port ANY <> WS Port 3389
BlockBlock Any <> AnyAny <> Any
IPSec Policy on TS HostIPSec Policy on TS Host Require SecurityRequire Security
ANY <> TS Port 3389ANY <> TS Port 3389 TS Port ANY <> SQL Port 3389TS Port ANY <> SQL Port 3389 TS Port ANY <> WS Port 3389TS Port ANY <> WS Port 3389
BlockBlock Any <> AnyAny <> Any
Default Exempt Rules in IPSecStored in the registry value:
HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
NoDefaultExempt values 0 1 2 3
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
RSVP
IKE
Kerberos
IKE
RSVP
IKE
Kerberos
Multicast
Broadcast
IKE
Multicast
Broadcast
X X
Managing the Perimeter
Terminal Server Terminal Server HostHost
RRAS Server RRAS Server with IAS as with IAS as RADUS ProxyRADUS Proxy
InternetInternet
Active Directory Active Directory with IAS as with IAS as RADIUS Server RADIUS Server
FirewallFirewall FirewallFirewall
Admin Admin LaptopLaptop
Terminal Server Tips
Use a TS Host in the perimeter to hop between other systemsHarden TS Host and use SRPsUse IPSec for
AuthenticationTransport SecurityHost-based firewall
Do not rely on built in Terminal Server securityNo authenticationLimited control over key exchange/key material
What did we not talk about?Topics for future study
Physical security
Patch management
Political issues
Content management and propagation
Monitoring and auditing
Application security
Closing Thoughts…
Securing applications in the perimeter is not easy for networks with high complexity
Think about building reusable security components
Plan for security scalability
Build security in from the start
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
TodayTodayMicrosoftMicrosoft®® Windows Windows®® Security Security Resource KitResource Kit
Writing Secure Code 2Writing Secure Code 2TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Ask The ExpertsGet Your Questions Answered
Talk with experts about how technology can enable your organization
I will be at the Security booth tomorrow:15:00 to 18:00
Or earlier/later by request
Lattes are happily accepted ;)
Community Resources
Community ResourcesCommunity Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsNewsgroupsConverse online with Microsoft Newsgroups, including WorldwideConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsUser GroupsMeet and learn with your peersMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
MSA Firewall Router and Switch Confighttp://www.microsoft.com/solutions/msa/default.asp
ISA Feature Packhttp://www.microsoft.com/isaserver/featurepack1/overview/default.aspMicrosoft Solution for Securityhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp (2000)http://go.microsoft.com/fwlink/?LinkId=14845 (2003)
Software Restriction Policyhttp://www.microsoft.com/windows2000/technologies/security/redir-wnetsafer.asp
appendixappendix
IPSecIPSechttp://www.microsoft.com/windows2000/technologies/http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp communications/ipsec/default.asp http://www.microsoft.com/windows2000/techinfo/planning/http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp security/ipsecsteps.asp http://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/server/sag_IPSECbestpract.asp windowsserver2003/proddocs/server/sag_IPSECbestpract.asp http://support.microsoft.com/?id=813878 http://support.microsoft.com/?id=813878
IIS Lockdown & URLScan 2.5IIS Lockdown & URLScan 2.5http://www.microsoft.com/technet/security/tools/tools/http://www.microsoft.com/technet/security/tools/tools/locktool.asp locktool.asp http://www.microsoft.com/technet/security/tools/tools/http://www.microsoft.com/technet/security/tools/tools/urlscan.asp urlscan.asp
AppSecAppSechttp://www.microsoft.com/windows2000/techinfo/reskit/tools/http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp hotfixes/appsec-o.asp
appendixappendix
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.