SEC313SEC313Securing Enterprise Platforms And Securing Enterprise Platforms And PerimetersPerimetersAKA – Building a Perimeter Platform and AKA – Building a Perimeter Platform and Infrastructure (with security)Infrastructure (with security)

Ben SmithBen Smith

Senior Security StrategistSenior Security Strategist

Microsoft CorporationMicrosoft Corporation

AgendaAgendaUnderstanding the Goals of Network Understanding the Goals of Network Perimeter SecurityPerimeter Security

Defining the Basic Rules of Engagement Defining the Basic Rules of Engagement for Securityfor Security

Building a Perimeter Platform for Building a Perimeter Platform for Security using Microsoft technologiesSecurity using Microsoft technologies

Application SecurityApplication Security

Host SecurityHost Security

Closing NotesClosing Notes

Understanding the Goals Security goal #1:

Keep information away from the attacker

Security goal #2Allow the right users access to the right information

Security goal #3Keep a record of #1 and #2

Security goal #4Make sure that security is user/administrator friendly

Security goal #5Don’t let goals previous goals cost too much

It can be done!and it can be done without a firewall!and it can be done without a firewall!

Open Hack 4 - eWeek Magazine's annual contestOpen Hack 4 - eWeek Magazine's annual contest

This year—This year—Application-level security focusApplication-level security focus

Goal: modify information in databaseGoal: modify information in database

82,500 attempted attacks over 2 ½ weeks82,500 attempted attacks over 2 ½ weeks

Microsoft entry Microsoft entry wasn’t compromisedwasn’t compromisedLesson learned: Reasonably skilled Lesson learned: Reasonably skilled administrators administrators and and developers can build developers can build Windows environments that are secure and Windows environments that are secure and resilient against attackresilient against attack

10 Basic Rules of Perimeter 10 Basic Rules of Perimeter

SecuritySecurity 1.1. Minimize the attack surfaceMinimize the attack surface

2.2. Least Privilege (deny by default)Least Privilege (deny by default)

3.3. Defense-in-DepthDefense-in-Depth

4.4. CompartmentalizationCompartmentalization

5.5. Carry a big stick (You have to tell people NO!)Carry a big stick (You have to tell people NO!)

6.6. Understand what your perimeter really is!Understand what your perimeter really is!

7.7. Know you cannot defend against other Know you cannot defend against other Administrators or poor physical securityAdministrators or poor physical security

8.8. Assess your security (the attacker will be!)Assess your security (the attacker will be!)

9.9. If you are not up-to-date, you are not secureIf you are not up-to-date, you are not secure

10.10. Avoid AssumptionsAvoid Assumptions

Application SecurityApplication Security

Ben’s rule of perimeter application security:

If the application has security holes, the best you can hope for is to slow the hackers down or limit the damage the attacker can do

You must work with your developers!You must work with your developers!You must work with your developers!You must work with your developers!

Key ComponentsKey Components

Input Validation, Input Validation, Input Input Validation, Input Validation, Input ValidationValidation

AuthenticationAuthentication

Impersonation/DelegationImpersonation/Delegation

Data Security Data Security

Coding PracticesCoding Practices

Code ReviewCode Review

Penetration TestingPenetration Testing

Lessons Learned:Lessons Learned:

Input ValidationInput Validation

case studycase study

For every application in/on the For every application in/on the perimeter you must answer:perimeter you must answer:

1. What data is being access or stored locally2. What data is being transmitted3. Define how the application communicates to

computers4. How is authentication handled5. What security measures the application is

providing6. What services the application depends on7. How the application will be managed8. Who will be managing the application9. How can operations be audited10. What the potential threats and vulnerabilities of the

application are

Infrastructure/Host SecurityInfrastructure/Host Security

Perimeter Architecture ExamplesBaseline securityTCP/IP SecuritySoftware Restriction PoliciesIIS 6.0IPSecManagement Networks

Perimeter ArchitecturePerimeter ArchitectureSmall environmentSmall environment

InternetInternet

Web ServerWeb Server

ISA Server ISA Server with inbound with inbound VPNVPN

Active DirectoryActive Directory

LAN ClientsLAN Clients

Traffic Allowed in:Traffic Allowed in: Web - TCP 80/443 via web Web - TCP 80/443 via web publishingpublishing DNS - TCP/UDP 53DNS - TCP/UDP 53 PPTP - IP 47, UDP 1723 to the ISA PPTP - IP 47, UDP 1723 to the ISA ServerServer

Test Web Test Web ServerServer

Traffic Allowed out:Traffic Allowed out: DNS – TCP/UDP 53DNS – TCP/UDP 53

Web/FTP using proxy servicesWeb/FTP using proxy services

Perimeter Architecture Perimeter Architecture Large environmentLarge environment

Terminal Terminal ServerServer

RRAS Server RRAS Server with IAS as with IAS as RADUS ProxyRADUS Proxy

Active Directory Active Directory with IAS as with IAS as RADIUS ServerRADIUS Server

Web Servers/Server Web Servers/Server FarmsFarms

SQL SQL Database/ClusterDatabase/ClusterDMZ AD ForestDMZ AD Forest

InternetInternet

ISA ISA ServerServer

ISA ISA ServerServer

Perimeter Perimeter NetworkNetwork

Management Management NetworkNetwork

Limited Access Limited Access NetworkNetwork

Active DirectoryActive Directory

ISA ISA ServerServer

Corporate Corporate NetworkNetwork

Perimeter Security ChallengesMost security challenges related to the expansion from small to large

Network-level complexityMore router ACLSComplex firewall rulesMore IPSec policiesMore multi-connected boxes

People-level complexityMore administratorsDistributed data to secureMore patch management issues

Host-level complexityMore systems and application to monitorAuthentication issues to manageContent propagation and management

2 Ways to Address The Complexity2 Ways to Address The Complexity

Design the scalability of security from the startDesign the scalability of security from the startFollow best practices for environments more complexity and with Follow best practices for environments more complexity and with higher security requirementshigher security requirements

Create a security budget for expansionCreate a security budget for expansion

Assess the security of your network from the outsideAssess the security of your network from the outside

Think about compartmentalization!Think about compartmentalization!

Build reusable security components Build reusable security components on the hostson the hostsBaseline security policyBaseline security policy

Security TemplatesSecurity Templates

Server specific security policyServer specific security policySecurity Templates, SRPs, Security ToolsSecurity Templates, SRPs, Security Tools

Host-based IP securityHost-based IP securityTCP/IP Security, IPSec policiesTCP/IP Security, IPSec policies

Management securityManagement securityVPN, Network Access Quarantine, RADIUS, Multifactor authVPN, Network Access Quarantine, RADIUS, Multifactor auth

Baseline SecurityStarts and ends with credential managementStarts and ends with credential management

Tips:Tips:1.1. Use multi-factor authentication when possibleUse multi-factor authentication when possible

2.2. Educate users and administrators on creating passwords Educate users and administrators on creating passwords

It is often easier for users to remember 20 to 30 than 8 It is often easier for users to remember 20 to 30 than 8 character passwordscharacter passwords

3.3. Enforce password complexity systematicallyEnforce password complexity systematically

4.4. Don’t reuse passwords or share accountsDon’t reuse passwords or share accounts

5.5. Avoid account lockout policies (aka the “increase your support Avoid account lockout policies (aka the “increase your support costs feature”)costs feature”)

There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!

There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!

Password Reuse Issue

1.1. Server 1 gets hackedServer 1 gets hacked2.2. Attacker extracts LSA Attacker extracts LSA

SecretsSecrets3.3. Obtains password to Obtains password to

Service accountsService accounts

1.1. Server 1 gets hackedServer 1 gets hacked2.2. Attacker extracts LSA Attacker extracts LSA

SecretsSecrets3.3. Obtains password to Obtains password to

Service accountsService accounts

Server 1Server 1

Account:BackupAccount1Password:VeryHardToGuessPassword

Server 2Server 2

Server 3Server 3

4.4. Attacked attempts to Attacked attempts to use server1 password use server1 password on Server 1..ServerNon Server 1..ServerN

5.5. Hacks Server 2 and Hacks Server 2 and Server 3 Server 3

4.4. Attacked attempts to Attacked attempts to use server1 password use server1 password on Server 1..ServerNon Server 1..ServerN

5.5. Hacks Server 2 and Hacks Server 2 and Server 3 Server 3

Account:MailServiceAccount1Password:VeryHardToGuessPassword

Account:AdministratorPassword:VeryHardToGuessPassword

AttackerAttacker

Baseline Security OptionsBaseline Security Options

Start with the Windows Hardening GuidesStart with the Windows Hardening Guides

Windows Server 2003 Security Guide

http://go.microsoft.com/fwlink/?LinkId=14845

Securing Windows 2000 Server

http://go.microsoft.com/fwlink/?LinkId=14837

Add settings for your requirementsAdd settings for your requirements

Always test the settings in your Always test the settings in your environment!environment!

Highlights from the Baseline Guide

Configures Audit PolicyConfigures Audit Policy

Removes LMPassword HashesRemoves LMPassword Hashes

Raises NTLM CompatibilityRaises NTLM Compatibility

Restricts anonymous enumerationRestricts anonymous enumeration

Disables POSIX SubsystemDisables POSIX Subsystem

Further restricts ServicesFurther restricts Services

TCP/IP Security on the host

HKLM\System\CurrentControlSet\Services\Tcpip\ParametersHKLM\System\CurrentControlSet\Services\Tcpip\Parameters

EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0

EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0

DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2

DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2

SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP

SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP

Lessons learned:Lessons learned:

Denial of Service attack Denial of Service attack on a major web site on a major web site

case studycase study

Customizing Security Customizing Security TemplatesTemplates

demodemo

Software Restriction PoliciesSoftware Restriction PoliciesUsed to control applications running on a computer

Path RulePath RulePath RulePath Rule

Hash RuleHash RuleHash RuleHash Rule

Certificate RuleCertificate RuleCertificate RuleCertificate Rule

Internet Zone RuleInternet Zone RuleInternet Zone RuleInternet Zone Rule

Two modes: • Disallowed – applications

specifically allowed not to run• Unrestricted – applications

explicitly allowed to run

Software Restriction Policies

Control executable code:

.ADE .ADP .BAS .BAT .CHM .CMD .CPL .CRT .EXE .HLP .HTA .INF

.INS .ISP .JS .JSE .LNK .MDB .MDE .MSC .MSI .MSP .MST .PCD

.PIF .REG .SCR .SCT .SHS .URL .VB .VBE .VBS .WSC .WSF .WSH

Software Restriction Software Restriction Policy Policy

demodemo

Configuring IIS SecurityConfiguring IIS Security

IIS 5.0IIS 5.0Run IIS LockdownRun IIS Lockdown

Configure URLScanConfigure URLScan

IIS 6.0IIS 6.0Installed in lockdown mode by defaultInstalled in lockdown mode by default

Do not install what you do not need!Do not install what you do not need!

Configure URLScan VerbsConfigure URLScan Verbs

IIS LockdownIIS LockdownURLScanURLScan

demodemo

Using IPSec for Additional Host-Using IPSec for Additional Host-Based SecurityBased Security

Three usage scenarios:

Block network traffic

Provide authentication and integrity validation

Provide secure, encrypted communication channels

IPSec ExampleIPSec Example

InternetInternet

Web ServerWeb ServerFirewallFirewallSQL ServerSQL Server

IPSec Policy on Web ServerIPSec Policy on Web Server PermitPermit

Any -> WS Port TCP 80Any -> WS Port TCP 80 Any -> WS Port TCP 443Any -> WS Port TCP 443

Require SecurityRequire Security WS Port 1433 <> SQL Port 1433WS Port 1433 <> SQL Port 1433 WS Port 3389 <> TS Port ANYWS Port 3389 <> TS Port ANY

BlockBlock Any <> AnyAny <> Any

IPSec Policy on Web ServerIPSec Policy on Web Server PermitPermit

Any -> WS Port TCP 80Any -> WS Port TCP 80 Any -> WS Port TCP 443Any -> WS Port TCP 443

Require SecurityRequire Security WS Port 1433 <> SQL Port 1433WS Port 1433 <> SQL Port 1433 WS Port 3389 <> TS Port ANYWS Port 3389 <> TS Port ANY

BlockBlock Any <> AnyAny <> Any

IPSec Policy on SQL ServerIPSec Policy on SQL Server Require SecurityRequire Security

SQL Port 1433 <> WS Port SQL Port 1433 <> WS Port 14331433

SQL Port 3389 <> TS Port ANYSQL Port 3389 <> TS Port ANY BlockBlock

Any <> AnyAny <> Any

IPSec Policy on SQL ServerIPSec Policy on SQL Server Require SecurityRequire Security

SQL Port 1433 <> WS Port SQL Port 1433 <> WS Port 14331433

SQL Port 3389 <> TS Port ANYSQL Port 3389 <> TS Port ANY BlockBlock

Any <> AnyAny <> Any

TS HostTS Host

IPSec Policy on TS HostIPSec Policy on TS Host Require SecurityRequire Security

ANY <> TS Port 3389ANY <> TS Port 3389 TS Port ANY <> SQL Port 3389TS Port ANY <> SQL Port 3389 TS Port ANY <> WS Port 3389TS Port ANY <> WS Port 3389

BlockBlock Any <> AnyAny <> Any

IPSec Policy on TS HostIPSec Policy on TS Host Require SecurityRequire Security

ANY <> TS Port 3389ANY <> TS Port 3389 TS Port ANY <> SQL Port 3389TS Port ANY <> SQL Port 3389 TS Port ANY <> WS Port 3389TS Port ANY <> WS Port 3389

BlockBlock Any <> AnyAny <> Any

Default Exempt Rules in IPSecStored in the registry value:

HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt

NoDefaultExempt values 0 1 2 3

RSVP

IKE

Kerberos

Multicast

Broadcast

IKE

Multicast

Broadcast

RSVP

IKE

Kerberos

IKE

RSVP

IKE

Kerberos

Multicast

Broadcast

IKE

Multicast

Broadcast

X X

IPSecIPSec

demodemo

Managing the Perimeter

Terminal Server Terminal Server HostHost

RRAS Server RRAS Server with IAS as with IAS as RADUS ProxyRADUS Proxy

InternetInternet

Active Directory Active Directory with IAS as with IAS as RADIUS Server RADIUS Server

FirewallFirewall FirewallFirewall

Admin Admin LaptopLaptop

Terminal Server Tips

Use a TS Host in the perimeter to hop between other systemsHarden TS Host and use SRPsUse IPSec for

AuthenticationTransport SecurityHost-based firewall

Do not rely on built in Terminal Server securityNo authenticationLimited control over key exchange/key material

What did we not talk about?Topics for future study

Physical security

Patch management

Political issues

Content management and propagation

Monitoring and auditing

Application security

Closing Thoughts…

Securing applications in the perimeter is not easy for networks with high complexity

Think about building reusable security components

Plan for security scalability

Build security in from the start

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

TodayTodayMicrosoftMicrosoft®® Windows Windows®® Security Security Resource KitResource Kit

Writing Secure Code 2Writing Secure Code 2TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

Ask The ExpertsGet Your Questions Answered

Talk with experts about how technology can enable your organization

I will be at the Security booth tomorrow:15:00 to 18:00

Or earlier/later by request

Lattes are happily accepted ;)

Community Resources

Community ResourcesCommunity Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsNewsgroupsConverse online with Microsoft Newsgroups, including WorldwideConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsUser GroupsMeet and learn with your peersMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

MSA Firewall Router and Switch Confighttp://www.microsoft.com/solutions/msa/default.asp

ISA Feature Packhttp://www.microsoft.com/isaserver/featurepack1/overview/default.aspMicrosoft Solution for Securityhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp (2000)http://go.microsoft.com/fwlink/?LinkId=14845 (2003)

Software Restriction Policyhttp://www.microsoft.com/windows2000/technologies/security/redir-wnetsafer.asp

appendixappendix

IPSecIPSechttp://www.microsoft.com/windows2000/technologies/http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp communications/ipsec/default.asp http://www.microsoft.com/windows2000/techinfo/planning/http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp security/ipsecsteps.asp http://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/server/sag_IPSECbestpract.asp windowsserver2003/proddocs/server/sag_IPSECbestpract.asp http://support.microsoft.com/?id=813878 http://support.microsoft.com/?id=813878

IIS Lockdown & URLScan 2.5IIS Lockdown & URLScan 2.5http://www.microsoft.com/technet/security/tools/tools/http://www.microsoft.com/technet/security/tools/tools/locktool.asp locktool.asp http://www.microsoft.com/technet/security/tools/tools/http://www.microsoft.com/technet/security/tools/tools/urlscan.asp urlscan.asp

AppSecAppSechttp://www.microsoft.com/windows2000/techinfo/reskit/tools/http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp hotfixes/appsec-o.asp

appendixappendix

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.