700 likes | 852 Views
Identity Management and Security Summit - Partner Technical Session. Jamie Sharp CISSP Microsoft Consulting jamiesh@microsoft.com. Agenda - MS QuickStart for Operating Secure Servers. Service Overview Deliverables and Resources Goals of the engagement
E N D
Identity Management and Security Summit - Partner Technical Session Jamie Sharp CISSP Microsoft Consulting jamiesh@microsoft.com
Agenda - MS QuickStart for Operating Secure Servers • Service Overview • Deliverables and Resources • Goals of the engagement • Key concepts to communicate to the customer
Fixed-price Service • Sold as 2 weeks. Partner sets price. • 96 hours delivery consultant(s) • 2 weeks (80hrs) • plus 2 days for auxiliary expert, research, etc. • 32 hours QA delivered by Microsoft expert (fee for QA & IP license) • Engagement is simply “fixed price” to the customer, do not discuss specific hours.
Target Customers • In it’s “pure” form, the target is the mid-size corporation 500-10,000 seats. Larger customers can be accommodated • Invested in Windows 2000: Some value to NT 4 customer but the prescriptive guidance assumes Windows 2000. • Looking to understand their current exposure and what is possible to achieve.
Consultant Requirements • MCSE (Active Directory Architect) • CISSP or equivalent cert/experience • ITIL Foundations or MOF Essentials • Comfortable in a Project Lead Role • MS QuickStart trained • Comfortable in presenting and leading design sessions
Project Schedule • Week #1 • Brief Security Intro • Assessment • Week #2 • Brief Operations Overview • Operations Workshop • Prescriptive Configuration Guidance and Design
Consultant Resources • Presentations • Security Intro • Operations Overview • Delivery Guide • Security Operations Guide Worksheet • Consultant Guide for SOG Worksheet
Consultant Deliverables • Resource Planning Guide • Assessment • Known vulnerability spreadsheet • Baseline Security analyzer • Assessment report template • Configuration Guidance • Security Operations Guide Windows 2000 Server • Microsoft Operations Framework Core Documents • Security Operations Guide Worksheet
Tools Used • Microsoft Baseline Security Analyzer • HFNetChk • Group policies and security templates • IIS Lockdown and URLScan • EventCombMT • DCDiag, NetDiag, NSLookUp, RepAdmin, GPResult, GPOTool, etc.
Techniques Used • Thread modeling: S.T.R.I.D.E. • Risk management • Change, Configuration and Release management • Maintaining hotfixes & service packs • Ongoing monitoring and assessment • Incident response
Engagement Goals • Get secure: • Security assessment • Application of current OS updates • Host configuration best practices • Stay secure: • Operational best practices • Leverage Active Directory to implement management of servers by roll using organizational units, group policies, and delegation of administration • Identify update procedures to keep patches up to date • Use auxiliary tools like URLScan to help protect IIS servers from yet-to-be discovered vulnerabilities
Engagement Goals • Just an assessment, even a full assessment would NOT be enough. • A “Plan to Operate Securely”, turns the findings in the assessment into manageable configuration and operations tasks and gets them moving in a positive direction. • Without the Assessment, the “Plan to Operate Securely” may not have the weight/backing it needs. Both are needed!
Why is the Engagement so Short? • We’re going for quick results, results that can be demonstrated for the client. • Follow-on work will be necessary, this engagement is only the start. • Assessment gives justification for the effort of the follow-on work and the best practices show that it is a doable effort.
Summary • Microsoft QuickStart Service is a complete packaged service • Use the resources provided to you • Manage to the time allowed • Avoid scope creep • The Assessment and the Planning do not create an endpoint, it is a quick start
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Agenda • Understanding Security • Current Situation • Solution Components • Roadmap • Wireless • VPN • Perimeter
Understanding Security • Risk Management • Resources • Threats • Vulnerabilities • Exploits • Countermeasures
Defence in Depth • Assume prior layers fail
Principle of Least Privilege Any administrator, user, service etc. that needs to perform a task, should only be granted the minimum rights and permissions necessary to perform that task.
Threat Modeling You cannot build secure infrastructure or applications unless you understand the associated threats.
Security Challenges Products lack security features Products have bugs Many issues are not addressed by technical standards Too hard to stay up-to-date Design for security Roles & responsibilities Audit, track, follow-up Response plans Stay up-to-date with security development Technology Process People Lack of knowledge Lack of commitment Human error
Days between patch and exploit 331 180 151 25 SQL Slammer Nimda Blaster Welchia/ Nachi Security is our #1 PriorityThere is no silver bulletChange requires innovation CurrentSituation Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient
Customer Feedback You’ve Told Us Our Action Items “The quality of the patching process is low and inconsistent” Improve the Patching Experience “I need to know the right way to run a Microsoft enterprise” Provide Guidance and Training “I can’t keep up…new patches are released every week” Mitigate Vulnerabilities Without Patches “There are still too many vulnerabilities in your products” Continue Improving Quality
Addressing The Situation • Security and Patch Management Priority #1 at Microsoft • Comprehensive tactical and strategic approach to addressing the situation • Trustworthy Computing Initiative • SD3+C Security framework • Patch Management Initiative
Rationalized patch severity rating levels • Better security bulletins and KB articles • Security Readiness Kit; Patch Management guidance, etc. • Standardized patch and update terminology • Standardized patch naming and installer switch options* • Installer consolidation plan in place – will go from ~8 to 2 • Reduced patch release frequency from 1/week to 1/month • Improved patch testing process and coverage • Expanded test process to include customers • Reduced reboots by 10%; reduced patch size by up to 75%** • Developed Patch & Update Management tools roadmap • SUS 2.0 in development: significantly enhanced capabilities • SMS 2003 delivers expanded patch and update management capabilities Patch Management InitiativeProgress to Date Informed & Prepared Customers Consistent & Superior Update Experience Superior Patch Quality Best Patch & Update Management Solutions More on the Patch Management Initiative in the Roadmap Section of this presentation… *Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0 **75% for Windows Update installs, more than 25% for other patches
Successful Patch Management Trained People Repeatable Processes Tools & Technologies
Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system) 1. Assess 2. Identify 3. Evaluate 4. Deploy 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing
Patch Management Guidance • Prescriptive guidance from Microsoft for effective patch management • Uses Microsoft Operations Framework (MOF) • Based on ITIL* (defacto standard for IT best practices) • Details requirements for effective patch management: • Technical & operational pre-requisites • Operational processes & how technology supports them • Daily, weekly, monthly & as-needed tasks to be performed • Testing options • Three patch management guidance offerings • Microsoft Guide to Security Patch Management** • Patch Management using Software Update Services*** • Patch Management using Systems Management Server*** *Information Technology Infrastructure Library **Emphasizes security patching & overall security management ***Comprehensive coverage of patch management using the specified technology
New Update Assess Identify Evaluate & Plan Deploy MBSA • Helps identify vulnerable Windows systems • Scans for missing security patches and common security mis-configurations • Scans various versions of Windows and other Microsoft applications • Scans local or multiple remote systems via GUI or command line invocation • Generates XML scan reports on each scanned system • Runs on Windows Server 2003, Windows 2000 and Windows XP • Integrates with SUS & SMS
Assess New Update Identify Deploy Evaluate & Plan Software Update Services • Deploys Windows security patches, security rollups, critical updates*, and service packs only • Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only • Provides patch download, deployment, and installation configuration options • Bandwidth optimized content deployment • Provides central administrative control over which patches can be installed from Windows Update • Provides basic patch installation status logging *Including critical driver updates
New Update Identify Deploy Assess Evaluate & Plan SMS 2003 • Identifies & deploys missing Windows and Office security patches on target systems • Can deploy any patch, update, or application in Windows environments • Inventory management & inventory based targeting of software installs • Install verification and detailed reporting • Flexible scheduling of content sync & installs • Central, full administrative control over installs • Bandwidth optimized content distribution • Software metering and remote control capabilities
Choosing A Patch Management SolutionTypical Customer Decisions Adopt the solution that best meets the needs of your organisation *Windows 2000, Windows XP, Windows Server 2003 **Customer uses Windows Update or manual process for other OS versions & applications software
Improved KB Articles GTM PartnershipDeliverables Security Bulletin Teleconferences Bulletin Search Page Patch ManagementRoadmap Clearer SeverityRating Levels Patch Management Guides Sustaining EngineeringPractices White Paper Patch Management Guides Patch Management White Paper Security Readiness Kit (Guides, Tools, Best Practices) Informed & Prepared Customers New Security & Patch Management workshops Regular web casts on security patch management* Updated roadmap, whitepapers, and guidance Q4 ‘02 Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Revised Patch Management Guides Informed and Prepared Customers *See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts
Add/Remove Program Improvements Standard Detection Manifest Standard installer switches defined Standard terminology for documentation 2 Installers: MSI, Update.exe MSI 3.0 Consistent & Superior Update Experience Patches & Security Bulletins released once a month Standard Titles* Standard Property Sheet Standard Registry Entries Consistent & Superior Update Experience Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Q4 ‘04 Standard naming and signing MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004 Converge to two installers – Q4 2004 Monthly patch delivery for non-emergency patches - Today *For Add/Remove Programs, Windows Update, and Download Center
90% Reduction in Patch Size 75% Reduction in Patch Size* 25% Reductionin Patch Size 10% Reductionin Patch Reboots Patch test process includes participating customers 30% Reductionin Patch Reboots** Superior Patch Quality Superior Patch Quality Up to 75% reduction in patch size* 10% reduction in patch reboots Patch test process extended to include customers Q4 ‘02 Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 *For Windows Update installs, more than 25% reduction for other patches **For Windows Server 2003 patches
MBSA • Overall direction • MBSA update scanning functionality integrated into Windows patch management functionality • MBSA becomes Windows assessment & mitigation engine • Near- and Intermediate-term plans • MBSA 1.2 (Q4 2003) • Improves report consistency, product coverage, and locale support • Integrates Office Update Inventory Tool • MBSA 2.0 (Q2 2004) • Update scanning functionality migrates to SUS 2.0 / Microsoft Update • MBSA leverages SUS 2.0 for update scanning
SUS 2.0 • Support for additional Microsoft products • Administrative control • Deployment & targeting • Bandwidth efficiency • Scale out • Status reporting
Patch Management FunctionalityFuture Direction • Longer-term (Longhorn time frame) • SUS functionality integrated into Windows • SUS supports updating of all Microsoft software • SUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software • SMS patch management built on SUS infrastructure and delivers advanced patch management functionality • Near-term • SUS 2.0 (Spring 2004) • Single infrastructure for patch management • Support for additional Microsoft products • Significant improvements in patch management functionality • SMS 2003 Update Management Feature Pack (H2 2004) • Leverages SUS for update scanning & download • Leverages SUS client (Automatic Updates) for installs
Current Situation • Huge fear of wireless • Rooted in misunderstandings of security • Wireless can be made secure • Takes work • Need to understand problem • Need to plan for secure solution
WEP Issues • Key and initialisation vector reuse • Known plaintext attack • Partial known plaintext attack • Weaknesses in RC4 key scheduling algorithm • Authentication forging • Realtime decryption • More Information • http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html WEP - Wired Equivalent Privacy
Solution Today - 802.1X • Port-based access control mechanism defined by IEEE • Works on anything, wired and wireless • Access point must support 802.1X • No special WIC requirements • Allows choice of authentication methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automagically • No need to preprogram WICs
Solution Today - EAP • Link-layer security framework • Simple encapsulation protocol for authentication mechanisms • Runs over any link layer, lossy or lossless • No built-in security • Doesn’t assume physically secure link • Authentication methods must incorporate their own security
AuthN Supported in Windows • EAP-MD5 disallowed for wireless • Can’t create encrypted session between supplicant and authenticator • Would transfer password hashes in the clear • Cannot perform mutual authentication • Vulnerable to man-in-the-middle attacks • EAP-TLS in Windows XP release • Requires client certificates • Best to have machine and user • Service pack 1 adds protected EAP (PEAP)
Protected EAP (PEAP) • Extension to EAP • Allows use of any secure authentication mechanism for EAP • No need to write individual EAP-enabled methods • Windows PEAP allows: • MS-CHAPv2—passwords • TLS (SSL channel)—certificates • PEAP-EAP-TLS a little slower than EAP-TLS • SecurID—but not tested/supported for wireless • For many deployments, machine and user passwords still are necessary • PEAP enables secure wireless now • Allows easy migration to certificates and smartcards later
802.1X & EAP Provides • Mutual device authentication • Workstation and authentication server • No rogue access points • Prevents man-in-the-middle attacks • Ensures key is transferred to correct entity • User authentication • No unauthorized access or interception • WEP key uniqueness and regeneration • Packet/disassociation spoofing prevention