Tomasz Zukowski Inobits Consulting Session Code: WSV301.
-
date post
15-Jan-2016 -
Category
Documents
-
view
224 -
download
0
Transcript of Tomasz Zukowski Inobits Consulting Session Code: WSV301.
12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, and Windows 7 Change the Game
Tomasz ZukowskiInobits ConsultingSession Code: WSV301
Question:How many of you do security at your company?
Question:How many of you ASKED to do security at your company?
What's This Talk All About?
Several thingsReview the fundamentals, but with a fresh "2009 perspective"A chance to help you in the ongoing battle to convince our users that security mattersIf you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wise
Why Security Matters
Protecting company assets, of courseBut the Internet adds a new dynamicComputers are “levers” when it comes to data; when things are good, they’re very good, and when they’re bad, they’re very bad – and get worse quickly!There are also the matters of public security, which is another very good reason to care
Twelve Tips
You are a risk managerWrite a security policyPasswordsAuthenticate rightStomp AdministratorAuditing and logsNail the services… or the developers
Physical securityHave A DR PlanUpgrade the carbon unitsStay informedPatch!
Risk Analysis
Security’s a Tradeoff…
… like everything else in businessYou cannot make your system completely secureWe accept and absorb risks all the time
Security Has A Price
IT’s job versus security’s jobMany “hardening” techniques will cause software to break
Write a Security Policyone on paper, that is
We’re talking here about protecting the organization from destruction, so…
This only works if management’s on boardMust have a written security policyMust have a few items that, well, could cause termination
If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work lateGood sample policies at http://www.sans.org/resources/policies/
Practical Talk About Passwords“Bad passwords always beat good security”
Passwords – the stakes
Passwords are it for most of us in terms of identifying ourselves to the networkBad guys just need one account, not all of themPasswords are a carbon-based issue, not a silicon-based issueAgain, get the users on board, or it's likely that no password technology will ever work
Passwords – the modern facts
Passwords are attacked in several waysShoulder surfingPost-ItsThey’re yelled across a roomSomeone steals your password “hashes” and cracks themSomeone tries repeatedly to log on with different passwords
Note that only the last two are technological
A Bit of Technicals on PasswordsComputers don't store your password; they convert it to a 128 bit "hash" and store that "Open Sesame"
Any of many mathematical processes called a "hash function"
0F725ACD85C6390EE6F218C7D382C552
This is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy)
How Bad Guys Get Your Hash
Physical access to your systemGuessing it
But that means trying 2128 possibilities, which is still computationally unlikely – at a million/second, it'd take 1025 years, and even Moore's Law won't crack that for a while
Guessing it with a hint… now, that might be possible!
Hint Sources
Structural limitations on passwordsThe 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must goHashes come from human-chosen passwords and humans tend not to create passwords like "6$^^hH-()()()()(7Ghala"Worse yet, many people restrict themselves to personal info or English words
This is how the bad guys get passwords!
Protecting Your Passwords
Get your users to create useful, non-trivial passwordsMandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasonsAvoid complex passwordsTrain users to avoid simple English words
Get rid of LM now. Really… now.Group policies will do itMost systems will not have a compatibility problem, but check NASes and network-attached printers
Win 6/7 and LM
After telling us to rid our networks of LM-related stuff for ten years, Microsoft took
a big step…… Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at allYou couldn't create an LM hash with Vista if you wanted to!
The Dumbest PasswordsI've got to stress this…
In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes:
A name associated with you or your organizationA date associated with you or your organizationA dictionary wordBTW, just adding a number or a capital adds no more than a few minutes to the time
People with these passwords must, sadly, be sterilized
12 Characters? Are You Crazy?
I advocate 12 character minimum password length… more length makes up for a "no complexity" requirementOnly requires a bit of user education on the "passphrase”12 lowercase letters = 95,428,956,661,682,176 possibilitiesTry a million a second, it’ll take 300 centuries
The Ultimate PasswordRemember why English word passwords are childishly simple to crack?They weren't 12 years agoAs Moore's Law strides on, one day any eight-character password, no matter how obscure, will be crackable in an hour or soAnd then what do we do?Answer: PKI… so put that on your "things to figure out in the next couple of years" listWS08 R2 Authentication Mechanism Assurance
Watch Your Authentication Protocols
Why They Matter
When you log on, your system decides under-the-hood how to authenticate with a domain controller – either
LMNTLMNTLM v2Kerberos
Even in an AD world, the top three get used… and you really want to avoid that
What? Not Use Kerberos?
Even in an AD-centric network, you may not get Kerberos
NET USE to an IP addressConnect to a workgroup system on Windows of any versionConnect to a pre-2000 systemFailover from a busy DCBadly-written apps (any apps older than 7 years?)Intranet site not added to "local intranet" zone
Nowadays we really want to de-NTLM our networks as much as possible
Kerberos Logon vs NTLM Logon
How you know you're NTLM-ing:Can't join machines to domainsDon't get group policiesNetmon traces show NTLM, not Kerberos traffic
Tracking this stuff down by hand is a pain, so Windows 7/Server 2008 R2 offer some new group policies
NTLM Restriction Policies
Essentially these new policies let you first track and then block NTLM logonsThere are basically three policies, each with an "audit" and a "block" option:
Incoming NTLM traffic (server tracking)Outgoing NTLM traffic (client tracking)Domain traffic (DC tracking)
Create new logs of source "NTLM," numbers 8001, 8002, 8003, 8004
Handling Admin Accounts and Eliminating "Administrator"
Creating Good Admin Passwordswithout having to stress the users
Having someone crack one of our (administrator) passwords would be badOne answer: set up different password policies for members of the Domain Administrators group from the policy for non-adminsPossible in 2008 and 2008 R2 with "password settings objects"Needs 2008 DFL, good tool to utilize it at www.joeware.net (PSOMgr)
PSOMgr.exe
Stomping Administratorthe account, that is
Local “Administrator” account is unaccountableRename itProhibit insiders from using it also(Otherwise, auditing is pointless)Give people’s accounts the admin privileges that they need … no moreThen assume that people using Administrator have no good in mind – make using it a firing offense!No real need for Administrator acct any more
Stomping Administrator
Randomize the admin passwordnet user administrator /domain /random>nulIt doesn’t hurt to rename the account in any caseIf using 2003 or 2008, you can
create a smart card for the Administrator accountforce the Administrator account to only be able to log on with the card – ctrl-alt-del won’t worklock up the card and disperse the PIN
Don’t Spend All Day As Admin
Tempting to be logged in all day as an administratorWorkaround: runas command, although truthfully it's a painWorks best when shift-right-clicking a menu item
But there's a better way…
What About UAC?In a sense, it's a "reverse Run As"You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful onePeople find it annoying… but I really recommend that you keep it in placeIn silent mode, it essentially automates the "two account switch" trickOnce you understand UAC, it can be very useful, so give it a second look
Audit Your Network
Windows Auditing
It's been around forever, but isn't always usedWhy use it?
After-the-fact forensicsHelpful in compliance situations (HIPAA, SOX)
Treat logs policy-wise the way you treat money accounting recordsBiggest pain is collecting and archiving the Security logs, as there's one on every workstation and server
Auditing and Logswhat modern Windows offers
Fine-tune who you're auditing with auditusr, which first appeared in XP SP2 and 2003 SP1/R2In Vista and later, it's called "auditpol" and has different syntaxEasily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions”
Auditing And Logssome fairly big news in Windows auditing in Win 7/R2
More auditable stuff: 9 categories in Vista…… 54 in Windows 7/R2
To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder
"Global SACL" or "Global object access auditing" completely changes object auditing
Use either group policies or auditpol to enable"Reason for access" reporting
Securing Services
Securing Services
Whenever there's a headline-grabbing security attack, there's a compromised service behind itThere have traditionally been three things you can do to reduce services' vulnerabilities
Disable the unnecessary onesMinimize the remaining ones' privilegesMinimize the remaining ones' permissions
XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' security
Services, Phase Onedisable unnecessary ones
Much less necessary with Vista/2008Messenger, clipbook, alerter services goneOther services are isolated in a separate Terminal Services session and so cannot interact with the desktop(Only bad part – causes some pre-Vista print drivers to fail)
Services, Phase 2 de-fang the services that you leave running
Services run not as you, but as some account – probably System, which is all-powerfulThus, any damage that they can do is limited by the permissions on that accountUnfortunately that’s usually SystemVista/2008 includes a built-in feature that reduces much of System's power
Services, Phase 2 finding out if your devs have been lazy
The problem is that not every developer exploits itWay to find out: open an elevated command prompt and type sc qprivs servicename If you don't get a list of privileges, that service has not been secured – so yell at the developer!
Services, Phase 3reducing their power with service isolation
"System" has all-encompassing file permissionsVista/2008 take it a step further with "service isolation"Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything elseTest: "sc qsidtype servicename" – you want to see "SERVICE_SID_TYPE: RESTRICTED" If not… whack the developers!(Hey, if you've got Win 6/7, you've already paid for this!)
Managed Service AccountsBackground: what problem does this solve?
Services must run under an account, and LocalSystem/LocalService/NetworkService can't always do the jobIIS, Exchange, SQL are some common examplesIn that case, techies need to create accounts to act as service accountsThat works fine, except for the issue of passwords: they need regular changing or services stop working
Managed Service AccountsAnswer: managed service accounts
New class of accountsSorta user accounts, sorta machine accounts (new icon)You:
Create one on the domain"Install" it on the member serverConfigure the service so that it logs on as that account, and from there password updates etc are automatic
Need one account / member
Managed Service AccountsPassword details
240-character passwords createdIgnore group policies about passwords and ignore fine-grained password policiesAutomatically handle password changes every 30 days
Managed Service AccountsRequirements/details
Requires at least one 2008 R2 DC (which means a 2008 R2 schema on the forest)Requires AD Powershell (and therefore AD Web Service) to create accountsLive in their own new folder (not an OU) called "Managed Service Accounts"Servers hosting services that use the accounts must be R2/Win 7
Physical Security
Physical Security
The idea is "if I can touch it, I can hurt it"The top item on many people's security lists… but not always a practical one to accomplish
Servers are often protected…… but what about in branch offices?And how can we (realistically) secure workstations – particularly laptops?And beyond workstations, what about the other things that carry copies of our data?
Physical Securityusing Windows 6 and 7: three technologies
Device installation group policies: "no removable devices allowed on this system"BitLocker: encrypts drives, securing
laptopsbranch office servers
BitLocker To Go: encrypts removable devices like USB sticks
Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"
Physical Security and RODCsprotecting your Active Directory
In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCsBy default, RODCs contain copies of the AD…… but no passwordsThus, it's no good if the WAN link's down, but if stolen, it's got nothing we care about
Physical Security and RODCswhy's it good?
RODCs let you "loosen" security a bitYou can put as many or as few passwords onto an RODC as you likeAnd if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership Combine it with Bitlocker and you're better protected
Disaster Recovery / Business Continuity
Have A Disaster Planthe problem
Every organization needs DR and BC plans"What if we're hacked?""What if there's a fire?""What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?"
DR plans can be a pain; here's a few thoughts
Have A Planhave simple (but explicit) plans
After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server?These should be step by step plansThese must be tested beforehandThis is not a small job, but it’s necessary and even constitutes training materials for new hires
Make DR a Bit Easier w/2008
DR plans are a good idea…but can be so hard to doAnswer: some sort of image backup/"bare metal restore" toolMany of the big vendors have themBut 2008 includes one: CompletePC backup
Upgrade the Carbon Unitsno technology can protect us from attachments
Kournikova worked because users didn’t know better and because we “protect” them from extensionsThe weasels only win when users invite them inDon’t yell, but…user training is the answerJust 15 minutes of basics about mail and attachments goes a long way
Stay Informed and Stay Paranoid
www.microsoft.com/security for patches etc.www.sans.orgwww.securityfocus.comthe security pages from whatever apps you rely upon
Simplify Patching
If "physical" is #1 on many lists, this is probably #2 or #3 WSUS, of courseBut don't forget your other technologiesAnd then there's patching imagesIf, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free)
Related ContentWCL308: Deploying Windows 7 BitLocker in the EnterpriseSIA310: Cybercrime: A Journey to the Dark SideSIA202: Developing a Security Awareness StrategySIA201: Windows 7 Security OverviewSIA302: Security Management - Integrated Enterprise SecuritySIA206: Microsoft Security Intelligence Report
question & answer
www.microsoft.com/teched Sessions On-Demand & Community
http://microsoft.com/technet Resources for IT Professionals
http://microsoft.com/msdn Resources for Developers
www.microsoft.com/learning Microsoft Certification & Training Resources
Resources
www.microsoft.com/learningMicrosoft Certification and Training Resources
Complete a session evaluation and enter to win!
10 pairs of MP3 sunglasses to be won
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.