The 5-Step Security Checkup
-
Upload
sandra4211 -
Category
Documents
-
view
687 -
download
3
description
Transcript of The 5-Step Security Checkup
![Page 1: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/1.jpg)
The 5-Step Security Checkup for Education
Barbara ChungSecurity Advisor, EducationMicrosoft Corporation
![Page 2: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/2.jpg)
Agenda
Secure Administrative Accounts Implement Zones of Trust Build a Baseline Patch Agile Processes
![Page 3: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/3.jpg)
#1 Secure Administrative Rights
The keys to the kingdom, using them inappropriately can forfeit everything else you do for security– Two general types of problems:
• Attackers who obtain admin credentials
• Users who have been granted admin credentials, but may not understand the implications of using them carelessly or incorrectly
![Page 4: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/4.jpg)
#1 Secure Administrative Rights
Forest is the security boundary, not the domain.
You must trust ALL domain admins Admin accounts not email-enabled, not
used as desktop accounts, use restricted to trusted machines
![Page 5: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/5.jpg)
Administrative Accounts
Administrator Created accounts assigned to admin groups Accounts that use:
– EFS Data Recovery certificates– Enrollment Agent certificates– Key Recovery Agent certificates
![Page 6: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/6.jpg)
Administrative Groups
– …in Builtin container: for example, Account Operators, Server Operators
– …in User container: for example, Domain Admins, Group Policy Creator/Owners
– Anything that you create and assign admin privileges
–
![Page 7: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/7.jpg)
Administrative GroupsDefault Domain Groups
– Enterprise Admins– Domain Admins– Schema Admins– Group Policy Creator Owners– Administrators group– Administrator account– DS Restore Mode Administrator
![Page 8: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/8.jpg)
Admin Account Types
Local admin accounts Domain admin accounts Forest admin accounts
![Page 9: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/9.jpg)
Principle of Least Privilege
Always grant minimum privileges required to complete the current task
Requires some work, but helps to understand your organization
Don’t do it: logging on as Domain Admin to troubleshoot a workstation with suspected security problems
![Page 10: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/10.jpg)
Best Practices Separate domain administrator and enterprise
administrator roles. Separate user and administrator accounts. Use the Secondary Logon service. Run a separate Terminal Services session for
administration. Rename the default Administrator account. Create a decoy Administrator account. Create a secondary Administrator account and
disable the built-in Administrator account.
![Page 11: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/11.jpg)
•Best Practices, cont… Enable Account Lockout for Remote
Administrator Logons. (passprop.exe) Create a strong Administrator password. Automate scanning for weak passwords. Use administrative credentials on trusted
computers only. Audit accounts and passwords on a regular basis. Prohibit account delegation. Control the administrative logon process
![Page 12: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/12.jpg)
References
– The Administrator Accounts Security Planning Guide: http://www.microsoft.com/technet/security/topics/serversecurity/administratoraccounts/default.mspx
The Services and Service Accounts Security Planning Guide http://www.microsoft.com/downloads/details.aspx?familyid=F4069A30-01D7-43E8-8B30-3799DB2D9C2F&displaylang=en
![Page 13: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/13.jpg)
#2 Zoning
The concept is simple: enforce zones of trust on/within the network– Blue Zone………. controlled risk– Orange Zone……. reduced risk– Red Zone……….. High risk
Why?– You’re clear about what you’re going to
manage for security (not EVERYTHING)– Time = Opportunity
![Page 14: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/14.jpg)
#2 Zoning
Firewalls 802.1x: use it to control access to the
wired/wireless network IPSec: control end-to-end communication
![Page 15: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/15.jpg)
Zoning802.1x at the Border Standards-based, services and clients built
into newer versions of Windows, but you can mix-and-match
Components: Authentication directory or directories, RADIUS services, network device (switch, WAP), client software
![Page 16: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/16.jpg)
#2 IPSec
Domain and Server Isolation
Protect trusted assets from unmanaged, rogue and guest PCs
Complement to other security mechanisms (firewall, antivirus, IDS)
Restrict communication to domain-managed computers
![Page 17: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/17.jpg)
IPsec Domain And Server Isolation
Two scenarios– Domain isolation– Server isolation
Protects corporate hosts or servers from unmanaged, rogue, and guest PCs
Allows communication between hosts to be restricted between domain-managed computers
![Page 18: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/18.jpg)
IPsec Domain And Server Isolation (2)
Provides ability to identify and control communications with critical client or server PCs
Complements other host security mechanisms
Complements network access protections
![Page 19: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/19.jpg)
Domain Isolation Allows host to host communication to be
limited to domain members (managed computers)
Requires IPsec authentication and protection for any communication with domain members (managed computers)– Managed computers can initiate
communication with managed and unmanaged computers
– Unmanaged computers cannot initiate communication with managed computers
![Page 20: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/20.jpg)
Scenario: Domain isolation
Common Access Infrastructure
Protected Ring
Quarantine Ring
Boundary Ring
Blocked
Allowed
AllowedAllowedAllowedAllowed
![Page 21: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/21.jpg)
Server Isolation Requires IPsec authentication and
protection for communications from hosts to specific servers– Managed computers can initiate
communication with specific servers– Unmanaged computers cannot initiate
communication with specific servers
Group-specific server isolation– Only managed computers that are members of a
specific security group can initiate communication with specific servers
![Page 22: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/22.jpg)
Scenario: Server Isolation
Protected Machine Group
All Machines
AllowedAllowed
Blocked
![Page 23: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/23.jpg)
Additional resources
Microsoft Windows Server 2003 site at http://www.microsoft.com/ipsec/
“How to isolate servers by using Internet Protocol security” Support WebCast (see Knowledge Base article 889383)
![Page 24: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/24.jpg)
2) Zoning
Won’t protect against trusted users/machines! (See #1: Secure Administrative Privileges
![Page 25: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/25.jpg)
Building a Baseline for Trusted Machines Create visibility for security incidents Automate deployment of lock-down images
with tools like RIS, ADS Use Security Configuration Wizard to
develop role-based templates Use Group Policy to enforce security
settings
![Page 26: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/26.jpg)
Patching
….
![Page 27: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/27.jpg)
Agility
Agile processes are critical to maintaining a secure environment– Who do users notify when there’s a problem?– Who can call a security crisis?– What happens when a crisis is called?– What’s the timeline?– How does you security group interface with
operations group?
![Page 28: The 5-Step Security Checkup](https://reader033.fdocuments.us/reader033/viewer/2022061110/54530b93af795904308b51a7/html5/thumbnails/28.jpg)
Questions?