420 likes | 567 Views
Applied Security Strategies. Michael Anderberg Senior Systems Engineer, Windows Platform Microsoft AB. Session Prerequisites. Understanding of enterprise security challenges Knowledge of securing computers by using Group Policy Understanding of remote access basics
E N D
Applied Security Strategies Michael Anderberg Senior Systems Engineer, Windows Platform Microsoft AB
Session Prerequisites • Understanding of enterprise security challenges • Knowledge of securing computers by using Group Policy • Understanding of remote access basics • Knowledge of how to apply security patches Level 300
Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations
Defense in Depth • Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, update management, authentication, HIDS Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine Perimeter Guards, locks, tracking devices User education
Common Security Challenges • Patch management: beyond the basics • Remote access security • Troubleshooting security policies
Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations
Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture C. Review infrastructure/ configuration Ongoing Tasks A. Discover assets B. Inventory clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance C. Verify patch authenticity and integrity 1. Assess 2. Identify 3. Evaluate and Plan 4. Deploy 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 3. Evaluate and PlanPatch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing
Monitoring Patch Status • Subscribe to notification services • Microsoft Security Notification Service • Third-party mailing lists • Check websites • www.microsoft.com/technet/security • Product-specific pages • Third-party sites • Implement regular review and deployment schedule • Microsoft’s patch release schedule: second Tuesday of each month • Exception: customers are at immediate risk • Configure automated tools to check for new updates daily
When to Apply Patches • Apply as soon as possible • Apply only after testing • Implement mitigating measures • Apply according to severity rating
MBSA Benefits • Automates identification of missing security patches and security configuration issues • Allows administrator to centrally scan a large number of systems simultaneously • Works with a broad range of Microsoft software (not just Windows and Office)
MBSA – How It Works • MSSecure.xml contains • Security bulletin names • Product-specific updates • Version and checksum info • Registry keys changed • KB article numbers • Run MBSA on Admin system; specify targets • Downloads CAB file with MSSecure.xml and verifies digital signature MicrosoftDownload Center MSSecure.xml • Scans target systems for OS, OS components, and applications • Parses MSSecure to see if updates are available • Checks if required updates are missing MBSAComputer • Generates time-stamped report of missing updates
Automating Detection with MBSA • MBSA Scan (GUI) • Performs well for small and medium-size networks • MBSA Scan (mbsacli.exe) • Performs automated scans using command-line parameters • Example: mbsacli /d mydomain /f report.txt • MBSA Scan in HFNetChk mode (mbsacli.exe /hf) • Performs automated scans using command-line parameters • Checks for missing patches only • Example: mbssacli -hf -o tab –f report.txt • MBSA and Windows Update might show different results
Automating Patch Distribution and Monitoring with SUS • Performs pull installations of service packs, security rollup packages, and critical updates • Gives administrators control over software updates • Prevents unauthorized installations when SUS is used with Automatic Updates • Allows for staging and testing • Works only for Windows 2000 and later
Domain SUS Test GPO Member Server GPO Member Servers SUS Test HO GPO HO Workstations RO1 GPO RO1 Workstations RO2 GPO RO2 Workstations Managing a Complex SUS Environment • Centrally manage downloading and approving updates • Use OU structure and GPOs to manage SUS update distribution • Use the WUAU.ADM template file to configure AU client settings • Assign GPOs to OUs
Using Management Software to Distribute and Apply Patches • System Management Server (SMS) 2003 • Gives administrators control over patch management • Automates the patch management process • Updates a broad range of Microsoft products • Updates third-party software • Provides flexibility by using scripts • Third-Party Solutions • Integrates with third-party solutions through scripting
Patching Microsoft Office • Office Inventory Tool • Office Update • Office patches require the original files • Office 2003 caches installation files • Installation points patching
Best Practices for Successful Patch Management • Use a change control process • Read all related documentation • Apply updates only as needed • Test updates thoroughly • Ensure consistency across domain controllers • Back up your system, and schedule production downtime • Always have a rollback plan • Forewarn help desk and key user groups • Target non-critical servers first
Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations
RAS Server & Firewall on Same Computer RAS Server Behind Firewall RAS Server VPN Clients RAS Server VPN Clients VPNs and Firewalls • Combining a firewall with a VPN server
VPN Server Behind a Firewall • Challenge: Allow the firewall to pass traffic to the VPN server • Challenge: Stateful inspection
NAT1 Hdr NAT2 Hdr NAT1 Hdr NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data NAT1 Hdr NAT2 Hdr Contains an encrypted hash of the original packet header Challenges of Using IPSec and NAT • Packet header is modified, invalidating packets • IKE uses IP fragments • NAT devices that assume tunnel mode
Solution Model • IETF draft on NAT Traversal (NAT-T) recommends that devices on both ends should: • Detect the presence of NAT • Use a non-IPSec port so that NAT devices do not interfere with network traffic • Encapsulate IPSec in UDP • In addition, the Microsoft solution prevents IP fragments
NAT1 Hdr NAT2 Hdr NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr ESP Hdr TCP Hdr Data Insert Orig IP Hdr UDP src 4500, dst 4500 ESP Hdr Rest… Sent by A Orig IP Hdr UDP src XXX, dst 4500 ESP Hdr Rest… Rcvd by B How NAT-T Works
Interoperability Issues • VPN client and VPN server must support NAT-T • Issues with third-party devices • Better interoperability as time goes on • NAT devices do not need any changes • Firewall support • Allow UDP 4500 traffic • Allow UDP 500 traffic
NAT-T Status for Windows • Implemented to IETF Proposed Standard • Interoperability tested with third-party gateways for L2TP/IPSec • Intended for L2TP/IPSec in WindowsXP and earlier • Intended for all IPSec uses in Windows Server 2003 Note 1: Windows Update or hot fix Note 2: With hot fix Note 3: With Web download Note 4: Active FTP does not work Note 5: Some PTMU reductions do not work
Enforcing Remote Access Client Security • Problem: • Remote clients might not meet corporate security requirements • Insecure computers on the corporate network endanger the entire network • Solutions: • Disallow remote access • Trust users to keep remote clients secure • Create a separate network for VPN clients • Enforce security settings upon connecting • Disconnect clients that are not secure: Network Access Quarantine Control
Quarantine Internet RAS Client RRAS Server IAS Server Connect Authenticate Authorize Quarantine andOther Filters Quarantine Access Policy Check Result Remove Quarantine Full Access The Quarantine Process
Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations
Resolving Security Template Conflicts • Use Resultant Set of Policies (RSoP) tools • Active Directory management tools • Group Policy Results from the GPMC • GPResult
Troubleshooting Application Failures • Applying security patches or security templates might prevent applications from working • Tools for troubleshooting application failures • Network Monitor • File Monitor • Registry Monitor • Dependency Walker • Cipher
Troubleshooting Services and Processes • You may need to troubleshoot services: • When services and processes fail to start • To confirm that all services and processes are legitimate • Tools to troubleshoot processes: • Tlist.exe or Process Explorer • Dependency Walker • Examine DLL properties
Troubleshooting Network Connectivity Issues • Ensure that only required ports are open on the computers • Tools for determining port usage: • Netstat –o (on Windows XP or Windows Server 2003) • Task Manager • Test port usage for applications and services
Best Practices for Troubleshooting • Use a formal change and configuration management strategy for all security changes • Test all security configuration changes • Use RSOP tools in planning mode • Document the normal settings • Have a rollback strategy • Troubleshoot securely
Session Summary • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations
For More Information • Microsoft Security Site (all audiences) • http://www.microsoft.com/security • TechNet Security Site (IT professionals) • http://www.microsoft.com/technet/security • MSDN Security Site (developers) • http://msdn.microsoft.com/security