1 / 87

Securing Your Windows Platform

SIM307. Securing Your Windows Platform. Mark Simos , William Dixon Microsoft Consulting Services. Solomon Lukie Trustworthy Computing. Securing your Windows Platform Objectives. Demonstrate how to create a secure and usable administrative desktop using SCM, EMET, Applocker, and ASA

perrin
Download Presentation

Securing Your Windows Platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIM307 Securing Your Windows Platform Mark Simos, William Dixon Microsoft Consulting Services Solomon Lukie Trustworthy Computing

  2. Securing your Windows PlatformObjectives • Demonstrate how to create a secure and usable administrative desktop using SCM, EMET, Applocker, and ASA • How to adapt the configuration to protect enterprise workstations • Awareness of Cybersecurity threats, motivations, and trends

  3. Securing your Windows PlatformAgenda • Cybersecurity perspectives • Tools and technology • Enhanced Mitigation Experience Toolkit (EMET) • Applocker • Security Compliance Manager (SCM) • Attack Surface Analyzer (ASA) • Group Policy - User account least/lesser privilege • All Technology in presentation free download or included in Windows 7

  4. Cybersecurity Perspectives

  5. Why lock down administrative desktops? • Active Directory compromise is bad! • 100% cleanup assurance is difficult • Rebuild is expensive, embarrassing for IT (& for Organization) • Malware is a profit driven industry, increasing sophistication • Sophisticated techniques getting more efficient (toolkits) • Compromise and obfuscation techniques constantly evolving • Symantec reported 286 million variants just in 2010

  6. What Attackers Want • Ingress • Gain Beachhead • Install User Malware • Escalation of Privilege • Expand Presence • Redundant administrative access • Ongoing Surreptitious Remote Access • Implement Goals • Data Exfiltration • Other nefarious actions

  7. Cybersecurity Economics Goal: Make Defenses cheaper/easier to achieve Threat: Attacker tools always getting cheaper, more sophisticated Commercial Reasonability Due Diligence Goal: Better defenses require attacks to be sophisticated (expensive and difficult) to be effective • Defender Benefit(Db) DiminishingReturns • Defender Cost (Dc)

  8. Fighting Back (Due Diligence) • Least Privilege • Limit Domain Admin privileges (use lesser admin roles!) • Limit Local Administrator (even on admin workstations!) • Reduce Risky Behavior • Don't allow email or Internet browsing from admin workstations! • Hardened Client • Run 64-bit version of latest operating systems • Patching, AV, anti-malware, and firewall • Security Compliance Manager (SCM) – Apply high security baseline for OS and Application security settings

  9. Fighting Back (Commercial Reasonability) • Require 2 factor authentication for administrators • Smartcards • RSA Tokens • Other solutions • EMET– Protect against exploits by unknown malware • Applocker– Whitelist applications that can launch • ASA - Identify and reduce attack surface

  10. Microsoft Cybersecurity Team Approach Protect Detect Defend Recover Respond

  11. Trusted Virtual Client for Management William Dixon demo

  12. Trusted Virtual Machine Client • Goals: • Avoid/minimize risk • Prevent infection • Limiting damage • Easy to use ! • Dedicated VM for management • Windows 7 running as Virtual PC (x32) • Windows 7 or Server 2008 R2 x64 running as Hyper V VM • Ease of use tradeoff: joined to domain which is being managed • Member of “hardened workstations” OU • SSLF - Specialized Security, Limited Functionality

  13. Server Admin Accounts – Limit Risk • Server Admin accounts • Not domain admin • Not local admin of client • Log onto management client only, privileges to perform job • Administrative Workstations • Browser limited to intranet browsing only • Only server administrators can login to workstation • 2 factor authentication ideal • Regular User Workstations • Only regular users can login (no server or domain admins allowed)

  14. Demonstration Domain – User Accounts

  15. Demonstration Domain – Computer Accounts

  16. Security Compliance Manager (SCM) William Dixon demo

  17. Demo: SCM Getting Started http://social.technet.microsoft.com/wiki/contents/articles/microsoft-security-compliance-manager-scm-getting-started.aspx

  18. Demo: SCM Automatic Baseline Releases

  19. Demo: SCM Import Baselines

  20. Demo: SCM GPO Review, Edit

  21. Demo: SCM Policy Edit

  22. Demo: SCM Policy Edit, Informed decisions Ooops, did not realize a value of 0 disabled password history enforcement ! Hmmmm….

  23. Demo: SCM Baseline Comparisons

  24. Demo: SCM Baseline Rename, Comment

  25. Demo: Import Settings into GPO from SCM

  26. Demo: Import Settings into GPO from SCM

  27. Demo: Deployment Steps Summary • Duplicate, review, edit security baseline if needed • Create GPO backup of baseline • Duplicate, review, edit additional GP settings in “Settings Pack” • Create GPO backup of settings pack • Move GPO backup files to admin workstation  • Start GPMC • Create GPO in domain for Hardened Workstations OU • Import GPO from {guid} file location • Gpupdate on client to apply • Test ! NOTE: unapplying registry policy does not reset registry

  28. Enhanced Mitigation Experience Toolkit (EMET) Mitigate applications against exploit techniques

  29. EMETBenefits • Protects against unknown vulnerabilities • Blocks exploit techniques against applications • New and old applications • Microsoft and third party software • Line of business applications • No source code requirements • GUI Configuration of OS Mitigation features • Free Download

  30. EMETMitigating Vulnerabilities • Mar 17 - Blocking Exploit Attempts of the Recent Flash 0-Day • Mar 14 – Adobe Bulletin CVE-2011-0609 • Dec 22 – New Internet Explorer vulnerability affecting all versions of IE • Nov 3 – DEP, EMET protect against attacks on the latest Internet Explorer vulnerability • Sep 10 – Adobe Reader/Acrobat 0-day exploit • http://blogs.technet.com/b/srd/

  31. Enhanced Mitigation Experience Toolkit (EMET) Mark Simos demo

  32. EMETNotes • Limited info on what EMET did • Event 1001 in Application Log (EMET.DLL as faulting) • Some OS protections crash on STATUS_ACCESS_VIOLATION • Disable/Enable EMET to troubleshoot user issues • Enterprise Management Challenges • No centralized control or status of EMET • No native reporting of EMET actions/events • OS Mitigations support varies with pre-Windows 7 clients

  33. EMETScenarios and Use Cases • Admin and Enterprise Workstations • Command-line installation & configuration • Test applications for compatibility first (issues are rare) • Configure Error Reporting to Desktop Error Monitoring (MDOP) or Application Exception Monitoring (SCOM) • Personal Laptop/Desktop (geeks like us!) • Add *.exe from C:\Program Files\ & C:\Program Files (x86)\ • Set system settings to maximum

  34. Applocker Whitelist Launch of Windows Applications

  35. ApplockerBenefits • Whitelisting of software launch • Only known-good applications can launch • Unknown applications blocked (Good and bad) • Publishing rules simplify use! • Windows 7 feature managed by Group Policy Applocker Signature

  36. Applocker Mark Simos demo

  37. ApplockerScenarios and Use Cases • Administrative Workstations • Allow Administrative applications only • Enterprise Workstations • Basic - Allow all users to run any application in ruleset • Advanced - Restrict applications by user/group • Exceptions for Administrators & PC Techs

  38. ApplockerNotes • Applockeronly controls application launch • Understand application portfolio (small for admin workstation) • Test your rule set prior to deployment • Plan how to handle ‘emergencies’ • RDP to servers • Change GPO • Create a process to handle AppLocker policy maintenance • New tools/applications coming online

  39. Attack Surface Analyzer Identify the changes in system state, runtime parameters, and securable objects on the Windows operating system.

  40. Useful for • IT Professionals / System Administrators • IT department development teams • Independent software vendors (ISVs) • IT Security Auditors • IT Security Incident Responders

  41. Microsoft Security Development Lifecycle (SDL) The industry-leading software security assurance processCombining a holistic and practical approach, the SDL introduces security and privacy throughout all phases of the development process. Download the Simplified Implementation of the Microsoft SDL to learn more about the Security Development Lifecycle process and practices.

  42. Attack Surface Code within a computer system that can be run by unauthenticated users. Attack surface reduction reduces security risk by giving attackers less opportunity to exploit a potential weakness or vulnerability: DID

  43. Attack Surface Analyzer It’s FREE and a unique industry leading tool • Enables you to really improve security of systems • 5+ years of real world use within Microsoft • Trusted and robust: used on all Microsoft products • Saves you time – a manual attack surface audit would take hours and require numerous tools / utilities

  44. Securable objects An object is securable if it can have unique security permissions associated with it. The security permissions of a securable object can be unique or can be inherited from a parent. All non-securable objects inherit the security permissions of their parent. Each securable object has its security permissions set by its ACL and other security metadata.

  45. How objects are secured

  46. Security privileges privilege: • The right of a user to perform system-related operations, such as debugging the system. A user's authorization context specifies what privileges are held by that user. • The capability of a security principal to perform a type of operation on a computer system regardless of restrictions placed by discretionary access control.

  47. Security privileges

  48. How privileges are assigned

  49. ASA Supported Platforms • Windows 7 & Server 2008 R2 • Collection and analysis (analysis requires .Net 3.5) • Windows Vista & Server 2008 • Command line / collection only • Newer versions of Windows will require the next version

More Related