SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft...
SEC302Windows Server 2003 Security Enhancements
Ben SmithBen SmithSenior Security StrategistSenior Security StrategistMicrosoft CorporationMicrosoft Corporation
AgendaWhat We Did DifferentlyWhat We Did Differently
Security Enhancements in Windows Server 2003Security Enhancements in Windows Server 2003
IIS 6.0 Re-architectureIIS 6.0 Re-architecture
Changes with PermissionsChanges with Permissions
System ServicesSystem Services
Enhancements to IPSec Enhancements to IPSec
All new:All new: Network Access Quarantine Network Access Quarantine
Software Restriction PoliciesSoftware Restriction Policies
Windows Server 2003 Security GuidanceWindows Server 2003 Security Guidance
What’s coming…What’s coming…
Secure by DeploymentSecure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum 7 Microsoft Official Curriculum
courses available at launchcourses available at launch Official security configuration Official security configuration
guidesguides Integrated security toolsIntegrated security tools
Secure by DeploymentSecure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum 7 Microsoft Official Curriculum
courses available at launchcourses available at launch Official security configuration Official security configuration
guidesguides Integrated security toolsIntegrated security tools
Secure by DesignSecure by Design Mandatory training Mandatory training Built threat modelsBuilt threat models Conducted code reviews and Conducted code reviews and
penetration testingpenetration testing Used automated code toolsUsed automated code tools Redesigned IIS 6.0 architectureRedesigned IIS 6.0 architecture
Secure by DesignSecure by Design Mandatory training Mandatory training Built threat modelsBuilt threat models Conducted code reviews and Conducted code reviews and
penetration testingpenetration testing Used automated code toolsUsed automated code tools Redesigned IIS 6.0 architectureRedesigned IIS 6.0 architecture
Secure by DefaultSecure by Default 60% less attack surface area by 60% less attack surface area by
default compared to Windows default compared to Windows NT 4.0 SP3NT 4.0 SP3
20+ services changed to be off 20+ services changed to be off by defaultby default
Service install in a secure state Service install in a secure state (IIS 6.0 Lockdown) (IIS 6.0 Lockdown)
Secure by DefaultSecure by Default 60% less attack surface area by 60% less attack surface area by
default compared to Windows default compared to Windows NT 4.0 SP3NT 4.0 SP3
20+ services changed to be off 20+ services changed to be off by defaultby default
Service install in a secure state Service install in a secure state (IIS 6.0 Lockdown) (IIS 6.0 Lockdown)
The Security Framework: SD3+C
CommunicationsCommunications Writing Secure Code 2.0Writing Secure Code 2.0 Architecture webcastsArchitecture webcasts
CommunicationsCommunications Writing Secure Code 2.0Writing Secure Code 2.0 Architecture webcastsArchitecture webcasts
Security in Active Directory Cross-Forest TrustsCross-Forest Trusts
Enables Administrators to create external forest-to-forest Enables Administrators to create external forest-to-forest truststrusts
Cross-Forest AuthenticationCross-Forest Authentication Enables secure access to resources when the user Enables secure access to resources when the user account is in one forest and the computer account is in account is in one forest and the computer account is in another forest. another forest.
Cross-Forest AuthorizationCross-Forest AuthorizationEnables administrators to select users and groups from Enables administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. trusted forests for inclusion in local groups or ACLs.
IAS and Cross-Forest AuthenticationIAS and Cross-Forest AuthenticationIf Active Directory forests are in cross-forest mode with If Active Directory forests are in cross-forest mode with two-way trusts, then IAS/RADIUS can authenticate the two-way trusts, then IAS/RADIUS can authenticate the user account in the other forestuser account in the other forest
PKI Enhancements
Cross–Certification SupportCross–Certification Support
Role separationRole separation
Custom Certificate Templates (Version 2)Custom Certificate Templates (Version 2)
Delta CRLsDelta CRLs
Key Archival/RecoveryKey Archival/Recovery
Auto-enrollmentAuto-enrollment
Auditing of admin operationsAuditing of admin operations
See: Windows Server 2003 PKI Operations GuideSee: Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws03pkog.aspwindowsserver2003/maintain/operate/ws03pkog.asp
Miscellaneous EnhancementsDLL search order priority changed from working directory to \windows\system32
AES-256-bit encryption default in EFS
Everyone group no longer includes anonymous users (Users and Guests)
Accounts with blank passwords are console-bound
Protected EAP (PEAP)
Detailed security auditing
RRAS Basic Firewall
Miscellaneous Enhancements
IIS 6.0 Lockdown modeIIS 6.0 Lockdown mode
IIS Re-architectureIIS Re-architecture
Authorization Manager (AuthMan)Authorization Manager (AuthMan)
Credential Manager (CredMan)Credential Manager (CredMan)
Constrained DelegationConstrained Delegation
.Net Framework 1.1 Code Access .Net Framework 1.1 Code Access SecuritySecurity
Administrator password complexityAdministrator password complexity
Screen saver timeoutScreen saver timeout
Miscellaneous Enhancements
Account Logon auditing enabled by defaultAccount Logon auditing enabled by defaultAnonymous access restricted to:Anonymous access restricted to:
SAMSAMNamed PipesNamed PipesSharesShares
Remote registry decoupled from Server Remote registry decoupled from Server serviceserviceNTLM Compatibility blocks LM from the wireNTLM Compatibility blocks LM from the wireIE Lockdown IE Lockdown Terminal Server rights controlTerminal Server rights controlDPAPI IntegrationDPAPI IntegrationGreatly improved Help file Greatly improved Help file for securityfor security
IIS 5 Request Processing
Kernel modeKernel mode
User modeUser mode
MetabaseMetabase
INETINFO.exeINETINFO.exe
RequestRequest ResponseResponse
DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe
DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe
TCP/IP
XX
XXFTPFTPFTPFTP
NNTPNNTPNNTPNNTP
SMTPSMTPSMTPSMTP
AFD
WinSock
IIS 6.0 Request Processing
AdministrationAdministration& &
MonitoringMonitoring
AdministrationAdministration& &
MonitoringMonitoring
WWW ServiceWWW Service
HTTPHTTPHTTPHTTPCacheCacheCacheCacheQueueQueueQueueQueue
Kernel modeKernel mode
User modeUser mode
XMLXMLMetabaseMetabase
InetinfoInetinfo
FTPFTPFTPFTP
NNTPNNTPNNTPNNTP
SMTPSMTPSMTPSMTP
IIS 6.0IIS 6.0
RequestRequest ResponseResponse
Application Pools
……XX
TCP/IP
The Security The Security Framework at MicrosoftFramework at Microsoft
(Yes – the same old video (Yes – the same old video you have seen before)you have seen before)
STOPThere is no time for this!There is no time for this!
This is a level 300 sessionThis is a level 300 session
The Security The Security Framework Framework
at Microsoftat Microsoft
videovideo
PermissionsDefault NFTS permissions locked down
Was: Everyone Full Control
Now: Everyone, Read and Execute (Root only)
Users Read and Execute, Create Folder, Create File
SYSTEM, Creator, Administrators Full Control
Default share permissionsWas: Everyone Full Control
Now: Everyone Read
New Features:Effective Permissions Tool
Replace Owner through GUI
What do all of these services have in common? AlerterAlerter ClipbookClipbook Distributed Link Tracking (Server)Distributed Link Tracking (Server) Imapi CDROM Burning ServiceImapi CDROM Burning Service Human Interface DevicesHuman Interface Devices ICS/ICFICS/ICF Intersite MessagingIntersite Messaging KDCKDC License Logging ManagerLicense Logging Manager Terminal Server Discovery Service Terminal Server Discovery Service Windows Image AcquisitionWindows Image Acquisition
MessengerMessenger NetMeetingNetMeeting NetDDENetDDE NetDDE DSDMNetDDE DSDM RRASRRAS TelnetTelnet ThemesThemes WebClientWebClient Windows AudioWindows Audio
Startup = DisabledStartup = Disabled
System Service Accounts
Local Service and Network ServiceLocal Service and Network ServiceNo password to manageNo password to manageRuns with only slightly more permissions than Authenticated Runs with only slightly more permissions than Authenticated
UserUser Local Service cannot authenticate across the network, Local Service cannot authenticate across the network,
Network Service authenticates as the computer accountNetwork Service authenticates as the computer account
Local Service and Network ServiceLocal Service and Network ServiceNo password to manageNo password to manageRuns with only slightly more permissions than Authenticated Runs with only slightly more permissions than Authenticated
UserUser Local Service cannot authenticate across the network, Local Service cannot authenticate across the network,
Network Service authenticates as the computer accountNetwork Service authenticates as the computer account
Local SystemLocal System No password to manageNo password to manage Bypasses security checksBypasses security checks
User AccountsUser AccountsRun with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secretStores password as an LSA secretCan be complex to configureCan be complex to configure
Local SystemLocal System No password to manageNo password to manage Bypasses security checksBypasses security checks
User AccountsUser AccountsRun with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secretStores password as an LSA secretCan be complex to configureCan be complex to configure
What’s New with IPSec?ManagementManagement IP Security Monitor IP Security Monitor Command-line management with NetshCommand-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration
ManagementManagement IP Security Monitor IP Security Monitor Command-line management with NetshCommand-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration
SecuritySecurity Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup securityComputer startup security Persistent policy for enhanced securityPersistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handlingBetter default exemption handling
SecuritySecurity Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup securityComputer startup security Persistent policy for enhanced securityPersistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handlingBetter default exemption handling
InteroperabilityInteroperability IPSec functionality over network address translation (NAT)IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load BalancingImproved IPSec integration with Network Load Balancing
InteroperabilityInteroperability IPSec functionality over network address translation (NAT)IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load BalancingImproved IPSec integration with Network Load Balancing
Default Exempt Rules in IPSecStored in the registry value:HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
NoDefaultExempt values 0 1 2 3
RSVPRSVP
IKEIKE
KerberosKerberos
MulticastMulticast
BroadcastBroadcast
IKE IKE
MulticastMulticast
BroadcastBroadcast
RSVPRSVP
IKEIKE
KerberosKerberos
IKEIKE
RSVPRSVP
IKEIKE
KerberosKerberos
MulticastMulticast
BroadcastBroadcast
IKE IKE
MulticastMulticast
BroadcastBroadcast
XX XX
Managing IPSec with NetshManaging IPSec with NetshOptions not available through the UI:Options not available through the UI:
Configure default exemptionsConfigure default exemptions
Enable CRL checking Enable CRL checking
Enable IKE logging Enable IKE logging
Enable IPsec driver dynamic logging Enable IPsec driver dynamic logging
Enable persistent policyEnable persistent policy
Configure startup exemptionsConfigure startup exemptions
demodemo
What is Network Access Quarantine?
RAS client meets RAS client meets Quarantine policiesQuarantine policies
RAS client RAS client gets full gets full
access to access to networknetwork
RAS client RAS client disconnecteddisconnected
1.1. RAS client fails RAS client fails policy checkpolicy check
2.2. Quarantine timeout Quarantine timeout ReachedReached
RAS client placed in RAS client placed in QuarantineQuarantine
Remote access Remote access client authenticatesclient authenticates
What are policy rules?Quarantine policy rules are configurable, Quarantine policy rules are configurable, common rules may include:common rules may include:
Service packs or the latest hotfixes installedService packs or the latest hotfixes installed
Antivirus software installedAntivirus software installed
Antivirus signature files updatedAntivirus signature files updated
Routing disabled on RAS clientRouting disabled on RAS client
Internet Connection Firewall enabled Internet Connection Firewall enabled
A password-protected screensaver enabledA password-protected screensaver enabled
Quarantine Architecture
CM ProfileCM Profile• Runs customizableRuns customizable
post connect scriptpost connect script• Script runs RQC Script runs RQC
notifiernotifierwith “results with “results string”string”
ListenerListener• RQS receives NotifierRQS receives Notifier
“results string”“results string”• Compares results toCompares results to
possible resultspossible results• Removes time-out ifRemoves time-out if
response received butresponse received butclient out of dateclient out of date
• Removes quarantine filterRemoves quarantine filterif client up to dateif client up to date
Quarantine VSAsQuarantine VSAs• Timer limits timeTimer limits time
window to receive window to receive notify before auto notify before auto disconnectdisconnect
• Q-filter sets Q-filter sets temporary route temporary route filter to quarantine filter to quarantine accessaccess
Internet
RAS ClientRAS Client RRAS ServerRRAS Server
IAS IAS ServerServer
QuarantineQuarantine
RQC.exe and RQS.exe are in the Windows RQC.exe and RQS.exe are in the Windows Server 2003 Resource KitServer 2003 Resource Kit
Detailed Quarantine Process
ConnectConnect
AuthenticateAuthenticate
AuthorizeAuthorizeQuarantine VSAQuarantine VSA+ Normal Filters+ Normal Filters
Policy CheckPolicy CheckResultResult
Remove QuarantineRemove Quarantine
QuarantineQuarantineAccessAccess
Full AccessFull Access
InternetRAS ClientRAS Client
RRAS ServerRRAS Server IAS ServerIAS Server
QuarantineQuarantine
Software Restriction PoliciesTwo modes: Disallowed, Unrestricted
Control executable code:
.ADE .ADP .BAS .BAT .CHM .CMD .CPL .CRT .EXE .HLP .HTA .INF
.INS .ISP .JS .JSE .LNK .MDB .MDE .MSC .MSI .MSP .MST .PCD
.PIF .REG .SCR .SCT .SHS .URL .VB .VBE .VBS .WSC .WSF .WSH
What SRP do not protect against
Drivers or other kernel mode softwareCannot protect against SYSTEM
Any program run by the SYSTEM account.Cannot protect against SYSTEM
Macros inside of Microsoft Office 2000 or Office XP documents
Use Macro security settings
Programs written for the common language runtime.
These programs use the Code Access Security
Types of SRP Rules
Path RulePath Rule Compares path of file being Compares path of file being
run to an allowed path listrun to an allowed path list Use when you have a folder Use when you have a folder
with many files for the same with many files for the same applicationapplication
Essential in when SRPs are Essential in when SRPs are strictstrict
Path RulePath Rule Compares path of file being Compares path of file being
run to an allowed path listrun to an allowed path list Use when you have a folder Use when you have a folder
with many files for the same with many files for the same applicationapplication
Essential in when SRPs are Essential in when SRPs are strictstrict
Hash RuleHash Rule Compares the MD5 or SHA1 Compares the MD5 or SHA1
hash of a file to the one hash of a file to the one attempted to be runattempted to be run
Use when you want to Use when you want to allow/prohibit a certain version allow/prohibit a certain version of a file from being runof a file from being run
Hash RuleHash Rule Compares the MD5 or SHA1 Compares the MD5 or SHA1
hash of a file to the one hash of a file to the one attempted to be runattempted to be run
Use when you want to Use when you want to allow/prohibit a certain version allow/prohibit a certain version of a file from being runof a file from being run
Certificate RuleCertificate Rule
Checks for digital signature on Checks for digital signature on application (i.e. Authenticode)application (i.e. Authenticode)
Use when you want to restrict Use when you want to restrict both win32 applications and both win32 applications and ActiveX contentActiveX content
Certificate RuleCertificate Rule
Checks for digital signature on Checks for digital signature on application (i.e. Authenticode)application (i.e. Authenticode)
Use when you want to restrict Use when you want to restrict both win32 applications and both win32 applications and ActiveX contentActiveX content
Internet Zone RuleInternet Zone Rule Controls how Internet Zones Controls how Internet Zones
can be accessedcan be accessed Use when in high security Use when in high security
environments to control environments to control access to web applicationsaccess to web applications
Internet Zone RuleInternet Zone Rule Controls how Internet Zones Controls how Internet Zones
can be accessedcan be accessed Use when in high security Use when in high security
environments to control environments to control access to web applicationsaccess to web applications
Rule PrecedenceWhat happens when multiple rules match a program?
Trying to run Windows Calculatorc:\winnt Unrestricted
A6A44A0E8A76C7B2174DE68C5B0F724D:114688:32771 Disallowed
c:\winnt\system32\calc.exe Disallowed
Most specific matching rule wins:1. Hash rule
2. Certificate rule
3. Path rule
4. Zone rule
How to Develop Policies?
List allowed applicationsStart them up
Consult system info (msinfo32.exe)Software Environment → Running Tasks
Software Environment → Loaded Modules
Software Environment → Startup Programs
Create Rules
Refine RulesGeneralize rules
C:\winnt → %WINDIR%
C:\app\dir1, c:\app\dir2 → c:\app
Policy Gotchas
Make sure you include the following:Some programs consist of many EXE’s
Powerpnt.exe (clip art launches mstore.exe)
Login Scripts
Startup folders and registry keys
Anti-virus
Program Add-ins
Have you allowed too much?
Check ACL’s
Windows Server 2003 Security Configuration Guide
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15160
“We commend Microsoft for providing enhanced security guidance to its customers as well as for soliciting user input as part of the process of producing that guidance“
Clint Kreitner
President/CEO
“NIST reviewed and provided technical comments & advice, that was incorporated in this guidance”
Timothy Grance
Manager
Systems and Network Security Group
commentscomments
Keep an eye out for…
Security Configuration Wizard (SCW) The SCW will help administrators maximize the security of servers with common roles without sacrificing required functionality. Administrators can use the Security Configuration Wizard in SCE to construct security policies for their different types of servers, and perform Lockdown Testing to verify that systems function as expected.
Microsoft Audit Collection Services (MACS) MACS is a tool to monitor and audit systems in a centralized manner. MACS collects security events in a compressed, signed, encrypted manner and loads the events into a SQL database for analysis.
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
TodayTodayMicrosoftMicrosoft®® Windows Windows®® Security Security Resource KitResource Kit
Writing Secure Code 2Writing Secure Code 2TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Quarantine Whitepaper:Quarantine Whitepaper:
Network Access Quarantine Whitepaper:Network Access Quarantine Whitepaper:http://www.microsoft.com/windowsserver2003/techinfo/overview/http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspxquarantine.mspx
Software Restriction PolicySoftware Restriction Policyhttp://www.microsoft.com/windows2000/technologies/security/redir-http://www.microsoft.com/windows2000/technologies/security/redir-wnetsafer.aspwnetsafer.asp
Windows Server 2003 Resource Kit Tools Download:Windows Server 2003 Resource Kit Tools Download:http://go.microsoft.com/fwlink/?LinkId=4544http://go.microsoft.com/fwlink/?LinkId=4544
appendix. . .appendix. . .
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.