240 likes | 375 Views
The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions. David J. Goldman Joseph Nocera. Overview. Background Windows Security Vulnerabilities Dealing with Security The Role of the Audit Maintaining a Secure Environment. Background.
E N D
The Deep Technical Audit:How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera
Overview • Background • Windows Security Vulnerabilities • Dealing with Security • The Role of the Audit • Maintaining a Secure Environment
Background • Why this conference exists • Windows Security Overview • Internal Security Management
Windows Security Vulnerabilities • Loss of Confidentiality, Integrity, Accessibility • Denial of Service • Enticement Information • Undesired Access • Inability to recover from breach • Inability to prosecute
Windows Security Vulnerabilities • Areas of Concern • Unneeded Services • Incorrect System Configuration • Improper Access Control Lists • Buffer Overflows • Other Code Vulnerabilities • Known vs. Unknown
Unneeded Services • Services • Simple TCP/IP Services • FTP, WWW, SMTP, NNTP • Telnet • Terminal Services, Other Remote Access (pcAnywhere, ControlIT, etc) • “R” Services (rsh, rcmd, rexec, etc.) • Devices • Sniffers • NFS • Key Loggers
Incorrect System Configuration • Service Packs/Hotfixes • Group Membership • Registry Values • Shares • User Rights • User Settings
Improper Access Control Lists • Shares • Registry Keys • Directories • Other Securable Objects • System Resources • Printers, Services, Tasks, etc. • Active Directory Objects • OUs, GPOs, etc.
Buffer Overflows • Core Operating System Components • Internet Information Server (IIS) • SQL Server • Third-Party Applications
Other Code Vulnerabilities • Core Operating System Components • Third-Party Applications • Custom Developed Applications • Web Pages and Internet Applications
Dealing With Security • Overall Security Architecture • Risk Assessment • Data Classification • Audit the Environment • Security Design/Implementation Plan • Monitor and Control
The Role of the Audit • Determine Vulnerable Areas • Obtain Specific Security Information • Allow for Remediation • Check for Compliance • Ensure Ongoing Security
Security Audit Components • The “Fab Five” • User • Resource • System • Network • Auditing, Logging, and Monitoring
User Security • Components • User Account Properties • Account Policy • User Rights • Groups • Configuration Issues • Passwords – Complexity/Aging/Uniqueness • Disabled/Locked Accts • Wkstn Restrictions • 4 Logon Types • Sensitive User Rights • Privileged Group Membership
Resource Security • Components • File Systems • File, Folder, and Object Security • Shares • Configuration Issues • NTFS vs. FAT, EFS • DACLs/SACLs – reg, files/folders, printers, services • Shares – who needs read/change/full
Resource Security Cont. • Critical Resources • %systemroot% (repair, config, LogFiles) • %systemroot%\*.exe • \Program Files • Inetpub, Inetsrv, IIS data directories
System Security • Components • Registry • Services • Configuration Issues • Access Paths - Winreg/AllowedPaths • Reg Permissions - Run, RunOnce, AeDebug • Reg Values – Restrictanonymous Crashdump/Clearpagefile, lmcompatibility • Installed Services • Service Context – System vs. User
Network Security • Components • Domains and Trusts • Protocols • Internet Information Server (IIS) • Configuration Issues • Relationships – appropriate access • What is needed – TCP/IP, NetBIOS, NWLink • IIS – WWW, FTP, SMTP, NNTP
Auditing, Logging, and Monitoring • Components • Audit Policies • Event Logs • Network Alerts • Performance Monitor • Configuration Issues • System Events • Files and Directories • Registry • Log Settings
Maintaining a Secure Environment • Methodology • Tools • Implementation Scripts
Security Methodologies • Assess • Design • Implement • Operate/Maintain
Tools • Assessment • Security Configuration Manager • DumpSec and DumpReg • Custom scripts (Visual Basic Scripting) • Implemenetation • Security Configuration Manager • Resource Kit Utilities • Custom Scripts • VB Script, Command Shell, other scripting languages
Scripts and Examples DEMO
Conclusion • Holistic Approach to Security • Detailed plan • Ongoing Process • David Goldman: 646-471-5682 • david.goldman@us.pwcglobal.com • Joseph Nocera: 312-298-2745 • joseph.nocera@us.pwcglobal.com