1 / 31

Dirty-Dozen: Top 12 Issues in Windows 2000 Security

Dirty-Dozen: Top 12 Issues in Windows 2000 Security. Roberta Bragg Security Evangelist Have Computer Will Travel, Inc. Was the FBI Right? Too Trusting? EFS/ XP/W2K Issues Anonymous Access Exposes Data Preventing Unauthorized Access NTFS Inheritance.

Download Presentation

Dirty-Dozen: Top 12 Issues in Windows 2000 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

  2. Was the FBI Right? Too Trusting? EFS/ XP/W2K Issues Anonymous Access Exposes Data Preventing Unauthorized Access NTFS Inheritance Don’t Give Permissions to User Accounts So many security settings to configure! So many boxes to secure Too Many Administrators Patching Mania Weak Passwords Agenda

  3. 1. Was the FBI Right? • Universal Plug-and-Play standard • Feature of XP – unfortunately flawed • Security Bulletin MS01-59 • Q article - Q315056

  4. What’s the Fuss? • Buffer overrun – attacker controls system • Endless download cycle (DoS) possible if maliciously configured device host • Flooding of third party server (DoS) with bogus requests

  5. Patch Available • Windows XP and Windows 98 • Or Disable SSDP Discovery Service

  6. Configuration to Limit Exposure – Q315056 • Regulate device download based on scope • Regulate device description download based on Router Hops • Port restrictions • Delay Mechanisms

  7. 2. Too Trusting • Security Bulletin MS02-001 - Using SID Filtering to Prevent Elevation of Privilege Attacks • An Administrator of one domain could obtain administrative rights in another

  8. Domain Trust Relationships W2K NT trusted NT trusting

  9. To exploit you’d have to: • Be Domain Administrator in the trusted domain • NT: develop and install custom operating system components • W2K: binary edit of data structures that hold SIDHistory mechanism

  10. Protecting Security Boundaries • No trust • NT style trust between domains in separate forest – SID Filtering • Kerberos style trust between domains in forest NO!!!!!! Do not apply Sid Filtering • Vet, Hire and Audit Trustworthy admins

  11. Best Practice 3. EFS/XP/W2K • EFS algorithms • Is Data Loss Possible? • Storage Issues • XP specific issues

  12. Excellent Encryption Product • Symmetric and Asymmetric Encryption • W2K – File recovery • .NET – File or key recovery

  13. Is Data Loss Possible? • Very possible to lose data • Disable EFS • Implement PKI • Deploy EFS

  14. Storage Issues • Network Storage • W2K Not encrypted during transport – use IPSec • XP use Web Folders – files remain encrypted • Copy to FAT – decrypted • W2K/XP backup preserves encryption

  15. XP Specific Issues • Sharing encrypted files may be dangerous • Administrative password reset uncouples certificate from user account

  16. 4. Anonymous Access Exposes Data • Anonymous access is accomplished via null domain name, account password • Necessary for some applications/services

  17. 5. Preventing Unauthorized Access • Windows 2000/XP in domain – Kerberos • Compatibility dilemma • NT – NTLM • Win9x – LM • NTLMv2 advantage • Prevents sending of LM password hash • Available NT, Win9x with AD client installed • Registry entry to prevent storage LM password hash

  18. 6. NTFS Permissions Inheritance • Windows NT - can be cascaded to any level! • Windows 2000 - can be blocked at subfolder level. • Windows XP unlike W2K – can apply defaults to upgrade.

  19. Best Practice 7. Don’t Give Permissions to User Accounts • Add user accounts to Global Groups • Add Global Groups to local Groups • Assign permissions to local groups • W2K native mode use Universal Groups • Promotes ease of administration, assurance of access removal, clear audit path

  20. Tool 8. So Many Security Settings to Configure

  21. Key Feature 9. So Many Boxes to Secure • Develop baselines for classes of boxes • Create baseline security templates • Apply • Security Configuration and Analysis • Group Policy • Use to audit system compliance with policy

  22. 10. Too Many Administrators • Use Default Groups • Server/account/print operator • Power User • Create groups and assign rights and permissions • Question and evaluate any request for administrative status • Window 2000 – Use delegation of authority

  23. 11. Patching Mania • Everyone says to patch your system ????? • Windows Update – single systems • Windows Corporate Update Site • http://corporate.windowsupdate.microsoft.com • Qchain

  24. 12. Weak Passwords • Many attacks require authenticated access • Default Password policy is weak • Users need training in creating strong passwords • Consider alternatives – Biometrics; Smart cards

  25. What is Microsoft Doing? Trustworthy Computing? • Bill Gates speech on trustworthy computing. • Month long no-new-code sabbatical. • Can perfect code be produced? • What will it cost? • What’s the track record, really?

  26. Stats (www.securityfocus.com) • Most vulnerabilities: Mandrake Soft Linux with 34 • 2nd, 3rd, 4th place - three other versions of Linux • 5th Windows 2000, 2 versions of Solaris tied with 24 each

  27. www.securityfocus stats

  28. Patch and/or Disable UPnP Understand the Meaning of Trust Disable EFS until PKI Restrict Anonymous Access Force NTMv2 where Kerberos won’t prevail Protect Key NTFS Permissions AGLP Create Security Baselines Use Group Policy Delegate Authority Patch Use strong authentication Checklist Call to Action! (hold Bill’s feet to the fire)

  29. Questions? Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

More Related