310 likes | 476 Views
Dirty-Dozen: Top 12 Issues in Windows 2000 Security. Roberta Bragg Security Evangelist Have Computer Will Travel, Inc. Was the FBI Right? Too Trusting? EFS/ XP/W2K Issues Anonymous Access Exposes Data Preventing Unauthorized Access NTFS Inheritance.
E N D
Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.
Was the FBI Right? Too Trusting? EFS/ XP/W2K Issues Anonymous Access Exposes Data Preventing Unauthorized Access NTFS Inheritance Don’t Give Permissions to User Accounts So many security settings to configure! So many boxes to secure Too Many Administrators Patching Mania Weak Passwords Agenda
1. Was the FBI Right? • Universal Plug-and-Play standard • Feature of XP – unfortunately flawed • Security Bulletin MS01-59 • Q article - Q315056
What’s the Fuss? • Buffer overrun – attacker controls system • Endless download cycle (DoS) possible if maliciously configured device host • Flooding of third party server (DoS) with bogus requests
Patch Available • Windows XP and Windows 98 • Or Disable SSDP Discovery Service
Configuration to Limit Exposure – Q315056 • Regulate device download based on scope • Regulate device description download based on Router Hops • Port restrictions • Delay Mechanisms
2. Too Trusting • Security Bulletin MS02-001 - Using SID Filtering to Prevent Elevation of Privilege Attacks • An Administrator of one domain could obtain administrative rights in another
Domain Trust Relationships W2K NT trusted NT trusting
To exploit you’d have to: • Be Domain Administrator in the trusted domain • NT: develop and install custom operating system components • W2K: binary edit of data structures that hold SIDHistory mechanism
Protecting Security Boundaries • No trust • NT style trust between domains in separate forest – SID Filtering • Kerberos style trust between domains in forest NO!!!!!! Do not apply Sid Filtering • Vet, Hire and Audit Trustworthy admins
Best Practice 3. EFS/XP/W2K • EFS algorithms • Is Data Loss Possible? • Storage Issues • XP specific issues
Excellent Encryption Product • Symmetric and Asymmetric Encryption • W2K – File recovery • .NET – File or key recovery
Is Data Loss Possible? • Very possible to lose data • Disable EFS • Implement PKI • Deploy EFS
Storage Issues • Network Storage • W2K Not encrypted during transport – use IPSec • XP use Web Folders – files remain encrypted • Copy to FAT – decrypted • W2K/XP backup preserves encryption
XP Specific Issues • Sharing encrypted files may be dangerous • Administrative password reset uncouples certificate from user account
4. Anonymous Access Exposes Data • Anonymous access is accomplished via null domain name, account password • Necessary for some applications/services
5. Preventing Unauthorized Access • Windows 2000/XP in domain – Kerberos • Compatibility dilemma • NT – NTLM • Win9x – LM • NTLMv2 advantage • Prevents sending of LM password hash • Available NT, Win9x with AD client installed • Registry entry to prevent storage LM password hash
6. NTFS Permissions Inheritance • Windows NT - can be cascaded to any level! • Windows 2000 - can be blocked at subfolder level. • Windows XP unlike W2K – can apply defaults to upgrade.
Best Practice 7. Don’t Give Permissions to User Accounts • Add user accounts to Global Groups • Add Global Groups to local Groups • Assign permissions to local groups • W2K native mode use Universal Groups • Promotes ease of administration, assurance of access removal, clear audit path
Tool 8. So Many Security Settings to Configure
Key Feature 9. So Many Boxes to Secure • Develop baselines for classes of boxes • Create baseline security templates • Apply • Security Configuration and Analysis • Group Policy • Use to audit system compliance with policy
10. Too Many Administrators • Use Default Groups • Server/account/print operator • Power User • Create groups and assign rights and permissions • Question and evaluate any request for administrative status • Window 2000 – Use delegation of authority
11. Patching Mania • Everyone says to patch your system ????? • Windows Update – single systems • Windows Corporate Update Site • http://corporate.windowsupdate.microsoft.com • Qchain
12. Weak Passwords • Many attacks require authenticated access • Default Password policy is weak • Users need training in creating strong passwords • Consider alternatives – Biometrics; Smart cards
What is Microsoft Doing? Trustworthy Computing? • Bill Gates speech on trustworthy computing. • Month long no-new-code sabbatical. • Can perfect code be produced? • What will it cost? • What’s the track record, really?
Stats (www.securityfocus.com) • Most vulnerabilities: Mandrake Soft Linux with 34 • 2nd, 3rd, 4th place - three other versions of Linux • 5th Windows 2000, 2 versions of Solaris tied with 24 each
Patch and/or Disable UPnP Understand the Meaning of Trust Disable EFS until PKI Restrict Anonymous Access Force NTMv2 where Kerberos won’t prevail Protect Key NTFS Permissions AGLP Create Security Baselines Use Group Policy Delegate Authority Patch Use strong authentication Checklist Call to Action! (hold Bill’s feet to the fire)
Questions? Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.