1 / 70

Identity Management and Security Summit - Partner Technical Session

Identity Management and Security Summit - Partner Technical Session. Jamie Sharp CISSP Microsoft Consulting jamiesh@microsoft.com. Agenda - MS QuickStart for Operating Secure Servers. Service Overview Deliverables and Resources Goals of the engagement

carsten
Download Presentation

Identity Management and Security Summit - Partner Technical Session

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity Management and Security Summit - Partner Technical Session Jamie Sharp CISSP Microsoft Consulting jamiesh@microsoft.com

  2. Agenda - MS QuickStart for Operating Secure Servers • Service Overview • Deliverables and Resources • Goals of the engagement • Key concepts to communicate to the customer

  3. Fixed-price Service • Sold as 2 weeks. Partner sets price. • 96 hours delivery consultant(s) • 2 weeks (80hrs) • plus 2 days for auxiliary expert, research, etc. • 32 hours QA delivered by Microsoft expert (fee for QA & IP license) • Engagement is simply “fixed price” to the customer, do not discuss specific hours.

  4. Target Customers • In it’s “pure” form, the target is the mid-size corporation 500-10,000 seats. Larger customers can be accommodated • Invested in Windows 2000: Some value to NT 4 customer but the prescriptive guidance assumes Windows 2000. • Looking to understand their current exposure and what is possible to achieve.

  5. Consultant Requirements • MCSE (Active Directory Architect) • CISSP or equivalent cert/experience • ITIL Foundations or MOF Essentials • Comfortable in a Project Lead Role • MS QuickStart trained • Comfortable in presenting and leading design sessions

  6. Project Schedule • Week #1 • Brief Security Intro • Assessment • Week #2 • Brief Operations Overview • Operations Workshop • Prescriptive Configuration Guidance and Design

  7. Consultant Resources • Presentations • Security Intro • Operations Overview • Delivery Guide • Security Operations Guide Worksheet • Consultant Guide for SOG Worksheet

  8. Consultant Deliverables • Resource Planning Guide • Assessment • Known vulnerability spreadsheet • Baseline Security analyzer • Assessment report template • Configuration Guidance • Security Operations Guide Windows 2000 Server • Microsoft Operations Framework Core Documents • Security Operations Guide Worksheet

  9. Tools Used • Microsoft Baseline Security Analyzer • HFNetChk • Group policies and security templates • IIS Lockdown and URLScan • EventCombMT • DCDiag, NetDiag, NSLookUp, RepAdmin, GPResult, GPOTool, etc.

  10. Techniques Used • Thread modeling: S.T.R.I.D.E. • Risk management • Change, Configuration and Release management • Maintaining hotfixes & service packs • Ongoing monitoring and assessment • Incident response

  11. Engagement Goals • Get secure: • Security assessment • Application of current OS updates • Host configuration best practices • Stay secure: • Operational best practices • Leverage Active Directory to implement management of servers by roll using organizational units, group policies, and delegation of administration • Identify update procedures to keep patches up to date • Use auxiliary tools like URLScan to help protect IIS servers from yet-to-be discovered vulnerabilities

  12. Engagement Goals • Just an assessment, even a full assessment would NOT be enough. • A “Plan to Operate Securely”, turns the findings in the assessment into manageable configuration and operations tasks and gets them moving in a positive direction. • Without the Assessment, the “Plan to Operate Securely” may not have the weight/backing it needs. Both are needed!

  13. Why is the Engagement so Short? • We’re going for quick results, results that can be demonstrated for the client. • Follow-on work will be necessary, this engagement is only the start. • Assessment gives justification for the effort of the follow-on work and the best practices show that it is a doable effort.

  14. Summary • Microsoft QuickStart Service is a complete packaged service • Use the resources provided to you • Manage to the time allowed • Avoid scope creep • The Assessment and the Planning do not create an endpoint, it is a quick start

  15. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

  16. Agenda • Understanding Security • Current Situation • Solution Components • Roadmap • Wireless • VPN • Perimeter

  17. Understanding Security

  18. Understanding Security • Risk Management • Resources • Threats • Vulnerabilities • Exploits • Countermeasures

  19. Defence in Depth • Assume prior layers fail

  20. Principle of Least Privilege Any administrator, user, service etc. that needs to perform a task, should only be granted the minimum rights and permissions necessary to perform that task.

  21. Threat Modeling You cannot build secure infrastructure or applications unless you understand the associated threats.

  22. Security Challenges Products lack security features Products have bugs Many issues are not addressed by technical standards Too hard to stay up-to-date Design for security Roles & responsibilities Audit, track, follow-up Response plans Stay up-to-date with security development Technology Process People Lack of knowledge Lack of commitment Human error

  23. Current Situation

  24. Days between patch and exploit 331 180 151 25 SQL Slammer Nimda Blaster Welchia/ Nachi Security is our #1 PriorityThere is no silver bulletChange requires innovation CurrentSituation Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient

  25. Customer Feedback You’ve Told Us Our Action Items “The quality of the patching process is low and inconsistent” Improve the Patching Experience “I need to know the right way to run a Microsoft enterprise” Provide Guidance and Training “I can’t keep up…new patches are released every week” Mitigate Vulnerabilities Without Patches “There are still too many vulnerabilities in your products” Continue Improving Quality

  26. Addressing The Situation • Security and Patch Management Priority #1 at Microsoft • Comprehensive tactical and strategic approach to addressing the situation • Trustworthy Computing Initiative • SD3+C Security framework • Patch Management Initiative

  27. Rationalized patch severity rating levels • Better security bulletins and KB articles • Security Readiness Kit; Patch Management guidance, etc. • Standardized patch and update terminology • Standardized patch naming and installer switch options* • Installer consolidation plan in place – will go from ~8 to 2 • Reduced patch release frequency from 1/week to 1/month • Improved patch testing process and coverage • Expanded test process to include customers • Reduced reboots by 10%; reduced patch size by up to 75%** • Developed Patch & Update Management tools roadmap • SUS 2.0 in development: significantly enhanced capabilities • SMS 2003 delivers expanded patch and update management capabilities Patch Management InitiativeProgress to Date Informed & Prepared Customers Consistent & Superior Update Experience Superior Patch Quality Best Patch & Update Management Solutions More on the Patch Management Initiative in the Roadmap Section of this presentation… *Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0 **75% for Windows Update installs, more than 25% for other patches

  28. Solution Components

  29. Successful Patch Management Trained People Repeatable Processes Tools & Technologies

  30. Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system) 1. Assess 2. Identify 3. Evaluate 4. Deploy 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing

  31. Patch Management Guidance • Prescriptive guidance from Microsoft for effective patch management • Uses Microsoft Operations Framework (MOF) • Based on ITIL* (defacto standard for IT best practices) • Details requirements for effective patch management: • Technical & operational pre-requisites • Operational processes & how technology supports them • Daily, weekly, monthly & as-needed tasks to be performed • Testing options • Three patch management guidance offerings • Microsoft Guide to Security Patch Management** • Patch Management using Software Update Services*** • Patch Management using Systems Management Server*** *Information Technology Infrastructure Library **Emphasizes security patching & overall security management ***Comprehensive coverage of patch management using the specified technology

  32. New Update Assess Identify Evaluate & Plan Deploy MBSA • Helps identify vulnerable Windows systems • Scans for missing security patches and common security mis-configurations • Scans various versions of Windows and other Microsoft applications • Scans local or multiple remote systems via GUI or command line invocation • Generates XML scan reports on each scanned system • Runs on Windows Server 2003, Windows 2000 and Windows XP • Integrates with SUS & SMS

  33. Assess New Update Identify Deploy Evaluate & Plan Software Update Services • Deploys Windows security patches, security rollups, critical updates*, and service packs only • Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only • Provides patch download, deployment, and installation configuration options • Bandwidth optimized content deployment • Provides central administrative control over which patches can be installed from Windows Update • Provides basic patch installation status logging *Including critical driver updates

  34. New Update Identify Deploy Assess Evaluate & Plan SMS 2003 • Identifies & deploys missing Windows and Office security patches on target systems • Can deploy any patch, update, or application in Windows environments • Inventory management & inventory based targeting of software installs • Install verification and detailed reporting • Flexible scheduling of content sync & installs • Central, full administrative control over installs • Bandwidth optimized content distribution • Software metering and remote control capabilities

  35. Choosing A Patch Management SolutionTypical Customer Decisions Adopt the solution that best meets the needs of your organisation *Windows 2000, Windows XP, Windows Server 2003 **Customer uses Windows Update or manual process for other OS versions & applications software

  36. Roadmap

  37. Improved KB Articles GTM PartnershipDeliverables Security Bulletin Teleconferences Bulletin Search Page Patch ManagementRoadmap Clearer SeverityRating Levels Patch Management Guides Sustaining EngineeringPractices White Paper Patch Management Guides Patch Management White Paper Security Readiness Kit (Guides, Tools, Best Practices) Informed & Prepared Customers New Security & Patch Management workshops Regular web casts on security patch management* Updated roadmap, whitepapers, and guidance Q4 ‘02 Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Revised Patch Management Guides Informed and Prepared Customers *See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts

  38. Add/Remove Program Improvements Standard Detection Manifest Standard installer switches defined Standard terminology for documentation 2 Installers: MSI, Update.exe MSI 3.0 Consistent & Superior Update Experience Patches & Security Bulletins released once a month Standard Titles* Standard Property Sheet Standard Registry Entries Consistent & Superior Update Experience Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Q4 ‘04 Standard naming and signing MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004 Converge to two installers – Q4 2004 Monthly patch delivery for non-emergency patches - Today *For Add/Remove Programs, Windows Update, and Download Center

  39. 90% Reduction in Patch Size 75% Reduction in Patch Size* 25% Reductionin Patch Size 10% Reductionin Patch Reboots Patch test process includes participating customers 30% Reductionin Patch Reboots** Superior Patch Quality Superior Patch Quality Up to 75% reduction in patch size* 10% reduction in patch reboots Patch test process extended to include customers Q4 ‘02 Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 *For Windows Update installs, more than 25% reduction for other patches **For Windows Server 2003 patches

  40. MBSA • Overall direction • MBSA update scanning functionality integrated into Windows patch management functionality • MBSA becomes Windows assessment & mitigation engine • Near- and Intermediate-term plans • MBSA 1.2 (Q4 2003) • Improves report consistency, product coverage, and locale support • Integrates Office Update Inventory Tool • MBSA 2.0 (Q2 2004) • Update scanning functionality migrates to SUS 2.0 / Microsoft Update • MBSA leverages SUS 2.0 for update scanning

  41. SUS 2.0 • Support for additional Microsoft products • Administrative control • Deployment & targeting • Bandwidth efficiency • Scale out • Status reporting

  42. Patch Management FunctionalityFuture Direction • Longer-term (Longhorn time frame) • SUS functionality integrated into Windows • SUS supports updating of all Microsoft software • SUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software • SMS patch management built on SUS infrastructure and delivers advanced patch management functionality • Near-term • SUS 2.0 (Spring 2004) • Single infrastructure for patch management • Support for additional Microsoft products • Significant improvements in patch management functionality • SMS 2003 Update Management Feature Pack (H2 2004) • Leverages SUS for update scanning & download • Leverages SUS client (Automatic Updates) for installs

  43. Wireless

  44. Current Situation • Huge fear of wireless • Rooted in misunderstandings of security • Wireless can be made secure • Takes work • Need to understand problem • Need to plan for secure solution

  45. WEP Issues • Key and initialisation vector reuse • Known plaintext attack • Partial known plaintext attack • Weaknesses in RC4 key scheduling algorithm • Authentication forging • Realtime decryption • More Information • http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html WEP - Wired Equivalent Privacy

  46. Solution Today - 802.1X • Port-based access control mechanism defined by IEEE • Works on anything, wired and wireless • Access point must support 802.1X • No special WIC requirements • Allows choice of authentication methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automagically • No need to preprogram WICs

  47. Solution Today - EAP • Link-layer security framework • Simple encapsulation protocol for authentication mechanisms • Runs over any link layer, lossy or lossless • No built-in security • Doesn’t assume physically secure link • Authentication methods must incorporate their own security

  48. AuthN Supported in Windows • EAP-MD5 disallowed for wireless • Can’t create encrypted session between supplicant and authenticator • Would transfer password hashes in the clear • Cannot perform mutual authentication • Vulnerable to man-in-the-middle attacks • EAP-TLS in Windows XP release • Requires client certificates • Best to have machine and user • Service pack 1 adds protected EAP (PEAP)

  49. Protected EAP (PEAP) • Extension to EAP • Allows use of any secure authentication mechanism for EAP • No need to write individual EAP-enabled methods • Windows PEAP allows: • MS-CHAPv2—passwords • TLS (SSL channel)—certificates • PEAP-EAP-TLS a little slower than EAP-TLS • SecurID—but not tested/supported for wireless • For many deployments, machine and user passwords still are necessary • PEAP enables secure wireless now • Allows easy migration to certificates and smartcards later

  50. 802.1X & EAP Provides • Mutual device authentication • Workstation and authentication server • No rogue access points • Prevents man-in-the-middle attacks • Ensures key is transferred to correct entity • User authentication • No unauthorized access or interception • WEP key uniqueness and regeneration • Packet/disassociation spoofing prevention

More Related