350 likes | 700 Views
EDUCAUSE 2006: Seminar 09F . Effective Security Practices for Higher Education WINDOWS SECURITY John Bruggeman Director of Information Systems Hebrew Union College – Jewish Institute of Religion. Windows Security !. Agenda Top Vulnerabilities in Windows Systems (Is there anything new?)
E N D
EDUCAUSE 2006: Seminar 09F Effective Security Practices for Higher Education WINDOWS SECURITY John Bruggeman Director of Information Systems Hebrew Union College – Jewish Institute of Religion
Windows Security ! • Agenda • Top Vulnerabilities in Windows Systems • (Is there anything new?) • Frequent Security mistakes • (Avoid being 0wn3d by a b0t) • Patching Windows • (What happened to cleaning them?) • Hardening Windows • (Tempered Glass doesn’t count!) • Tools and Tips • (What do the Pro’s use and Hackers use?)
Windows Security !? • Top Vulnerabilities in Windows Systems • From the SANS website www.sans.org • Windows Services • Internet Explorer • Windows Libraries • MS Office and Outlook Express • Windows Configuration Weaknesses
Windows Security !? • Top Vulnerabilities in Windows Systems • From the SANS website www.sans.org • Windows Services • Critical Vulnerabilities were discovered in these services in 2005 • MSDTC and COM+ (MS05-051) • Print Spooler (MS05-043) • Plug and Play (MS05-047, 039) • Server Message Block Service (MS05-027, 011) • Exchange SMTP Service (MS05-021) • Message Queuing Service (MS05-017) • License Logging Service (MS05-010) • What to do? • Disable Service if possible • Scan for Vulnerabilities • PATCH
Windows Security !? • From the SANS Website www.sans.org 2) Internet Explorer • Multiple vulnerabilities were discovered in 2005 in IE • Cummulative Security Patch (MS05-052, 038, 025, 020, 014,) • JView Profile Remote Code Execution (MS05-037) • Windows Shell Remote Code Execution (MS05-008) • How to mitigate • On XP, install SP2 • On 2000, NT, keep patches current • Use DropMyRights from MS to lower IE privileges • Check your Broswer Helper Objects (BHO) for spyware • Disable Scripting and ActiveX
Windows Security !? • From the SANS Website www.sans.org 3) Windows Libraries • DLL’s can have buffer overflow vulnerabilities • Vulnerabilties discovered in 2005 • Windows Graphic Rendering Engine (MS05-053) • Microsoft Direct Show (MS05-036) • HTML Help remote code exec (MS05-026, 001) • Web View remote code exec (MS05-024) • Windows Shell remote code (MS05-049, 016) • PNG Image Processing remote code (MS05-009) • Patch your system and scan for vulnerabitlites • Use least privileges where possible • Filter IP ports 135-139, 445, • Use an IPS and IDS
Windows Security !? • From the SANS Website www.sans.org 4) MS Office and Outlook Express • Attack vectors are email attachments, website documents, and news servers • Several critical vulnerabilities in 2005 • Cumulative Security for Outlook Express (MS05-030) • Microsoft OLE and COM remote (MS05-012) • MS Office XP remote code exec (MS05-005) • MS Access – no patch yet available • Check your systems with a vulnerability scanner • Mitigate by patching, disable IE feature of opening Office documents • Configure Outlook with enhanced security
Windows Security !? • From the SANS Website www.sans.org 5) Windows configuration Weaknesses • Weak passwords on accounts or network shares • LAN Manager hashes are weak and should be replaced with stronger more current hash techniques • Default configuration for servers and applications can open machines to password guessing. • MSDE ships with SA account set with a blank password. • Several worms take advantage of this, Voyager, Alpha Force, SQL Spida use known weak configurations to spread • Enforce a strong password policy • Prevent Windows from storing the LM hash in AD or the SAM • Disable NULL shares and restrict anonymous access
Windows Security !?% • Frequent Mistakes made in Windows Security • Deirdre Hurley • www.sans.org/reading_room/whitepapers/windows/1016.php • Allowing Null Sessions • Weak Lockout Policies • Weak Account Policies • Multiple Trust relationships • Multiple Domain admin accounts • Audit logs turned off • Automatic Updates turned off
Windows Security !?% • Frequent Mistakes made in Windows Security • Allowing Null Sessions • What is a Null session? • Net use \\10.1.1.1\ipc$ “” /user:”” • So what? • You can download usernames, login information, lockout policy information, etc. • How do you disable one? • MS Security Policy MMC snap-in • Update registry key • \\HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous • Tools to test • www.securityfriday.com/tools/GetAcct.html
Windows Security !?% • Frequent Mistakes made in Windows Security • Weak Lockout Policies • If you don’t have one then brute force attacks can succeed • If you do have one it becomes more difficult • Suggested levels • Enable Account Lockout Threshold at 5 attempts • Enable Account Lockout Duration to 30 minutes • Disable Reset Account Lockout Threshold after • Also, enable Administrator account lockout • Get the ADSI Edit Snap-in from Windows 2000 support tools • http://support.microsoft.com/kb/885119/en-us
Windows Security !?% • Frequent Mistakes made in Windows Security • Weak Account Policies • Be aware, local account policies on 2000 over ride domain account policies • Some admins create local users to match domain users • Forget to set the local Administrator password, sometimes leaving it blank • General rules for accounts and passwords • Maximum password age 90 days • Minimum password age 5 days • Minimum password length of at least 7 characters, 14 for Administrators • Password Uniqueness – remember 13 passwords
Windows Security !?% • Frequent Mistakes made in Windows Security • Multiple Trust relationships • Limit the number of trusts in your domain • Fewer gaps, less that has to be guarded • Windows 2000 Tool to find out what trusts you have • NT Resource Kit - NLTEST
Windows Security !?% • Frequent Mistakes made in Windows Security • Multiple Domain admin accounts • Avoid the mistake of having three or four (or more) Domain accounts, or having domain privileges with “normal” users • Use the practice of least privileges for all accounts • Change default passwords for typical accounts • Backup software • ArcServe, Tivoli, BackupExec • Test accounts • Test, dummy, • Lab accounts • Administrator accounts
Windows Security !?% • Frequent Mistakes made in Windows Security • Audit logs turned off • By default audit logs are turned off • Hackers have tools like DUMPACL and DumpSec to find out if auditing is turned on or off • Recommend settings for Auditing • Account logon events (Success and Failures) • Logon Events • Account Management • Policy Changes • System Events • Object Access (Success and Failures) • Files, folders, and registry keys must then be set
Windows Security !?% • Frequent Mistakes made in Windows Security • Updates turned off • SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities. • SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit. • Need to patch systems and keep them current • Does require a patch management strategy • Will require time • Payoff is less downtime
Windows Security !?%# • Patching Windows • Rod Gode, UC Davis IT Security Symposium 2005 • What to Patch and How to Patch • Options • Commercial • Microsoft Provided • Deployment and Testing • Get some test machines • Verification • MBSA
Windows Security !?%# • Patching Windows • What to Patch • OS • Applications • BIOS • Firmware • Types of Patches from MS • Hotfix, Update, Critical Update, Security Patch, Update Roll-up, Service Pack
Windows Security !?%# • How to Patch • Develop a Plan • Hardware and Software Inventory • Patch management Policy & Process • Include a notification process • Track & check patch level • Download and test patches prior to deployment • Deploy patches • Audit workstations for compliance
Windows Security !?%# • How to Patch • Tools from Microsoft (MS) • Analysis tool from MS, Microsoft Baseline Security Analyzer (MBSA) • Online update services – • Microsoft Update, Windows Update, or Download Center • Push / Management tools • WSUS server, SMS server, Group Policies
Windows Security !?%# • How to Patch • Tools from Microsoft • Microsoft Update is different than Windows Update • MU updates all MS products not just windows • Office updates, Server product patches • WSUS is updated SUS server • New version coming out, WSUS 3.0 in Beta now • www.microsoft.com/wsus • Target client installs, selective client patching, uninstall options
Windows Security !?%# • How to Patch • Commercial Tools • Altiris Patch Management • www.altiris.com • BigFix Patch Manager • www.bigfix.com • Ecora Patch Manager • www.ecora.com • LanDesk Patch Management • www.landesk.com
Windows Security !?%# • Deployment Options • WSUS and SMS • Group Policy options (2000 & XP only) • Create an Install Package (MSI file) containing the patch, see KB article 257718 on how to do this • Store the MSI file on a network share • Assign the patch to groups via a group policy • Chose the assigned publishing method • Patch will be installed on assigned computers using the Windows installed program • Slipstream • Create an image w/ service packs and patches
Windows Security !?%# • Testing and Verification • Patch systems are not perfect, you need to test after patches have been applied • Tools • Microsoft Baseline Security Analyzer 2.0 • Used for Windows 2000 + SP3 and later • Office XP and later • Exchange 2000 and later • Microsoft Baseline Security Analyzer 1.2.1 • Office 200 • Exchange 5.0 and 5.5
Windows Security !?%# • Testing and Verification • Commercial Tools • BindView - www.bindview.com • Computer Associates - www.ca.com • Network Associates – www.nai.com • Symantec – www.symantec.com • Trend Micro – www.trendmicro.com • Foundstone – www.foundstone.com
Windows Security !! • Hardening Windows • Advanced Information Assurance Handbook, CERT • Hardening techniques • Limit services • Limit applications • Limit protocols • Intrusion Protection techniques • Software options to monitor file changes • Host based firewalls • Tools from Microsoft
Windows Security !! • Hardening Windows • Hardening techniques • Limit services • Verify what services are needed • On servers, usually these can be disable • IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others. • On workstations disable unless needed • Fax service, Indexing service, messenger, Telnet, others • Enable firewall
Windows Security !! • Hardening Windows • Hardening techniques • Limit applications • Verify what applications are needed, many can be removed without impacting functionality • On servers, usually you can remove the following • Outlook Express, IIS, Media Player, Journal viewer, Games, POSIX, OS2 subsystem • On workstations, usually you can remove the same • Limit what applications end users can run • Do not allow end users to install applications
Windows Security !! • Hardening Windows • Hardening techniques • Limit protocols • Verify what protocols are needed for your network • On servers normally TCP/IP is sufficient • On workstations normally TCP/IP is all that is needed • Remove IPX/SPX, NetBios, • Limit Network devices • Bluetooth (disable unless needed) • Wireless (disable unless needed) • Firewire (disable unless needed)
Windows Security !! • Hardening Windows • Firewalls • Host based firewalls • Server options • Windows 2003 SP1 firewall option • Workstation options • XP SP2, ZoneAlarm, Tiny Personal Firewall • 85 listed on Download.com • IPSEC • Encrypt traffic from host to host
Windows Security !! • Hardening Windows • Intrusion Protection Systems • IPS vs IDS • Why detect when you can protect? • Signature vs Anomoly • IPS can be host or network based • IPS Host options • EEye BLINK, Prevx Home • IDS host options • SFC System File Check from MS (can be spoofed) • LanGuard • IPS Network options • Forescout, Tipping Point, McAfee, ISS are options
Windows Security !! • Hardening Windows • Tools from Microsoft • www.microsoft.com/technet/security/tools • MBSA 2.0 • Microsoft Enterprise Scan Tool • Security Assessment Tool • IIS Lockdown Tool • Hardens ISS • URLScan Security Tool • Included in IIS lockdown tool • Cipher Security Tool • Shredder for deleted files • Port Reporter • Logging tool for TCP and UDP activity on XP, 2003, 2000
Windows Security :-) • Tools and Techniques • Shareware tools • MetaSploit • Framework for testing exploits • Nessus • Scanning tool to check for vulnerabilities • Ethereal • Packet sniffer
Windows Security :-) • Tools and Techniques • Shareware Tools • MetaSploit • DEMO • Nessus • DEMO • Ethereal • DEMO
Windows Security :-) • Resources • www.educause.edu/security • www.microsoft.com/technet/security • www.sans.org/reading_room/whitepapers/windows • www.securityfriday.com • www.cert.org • www.hackingexposed • www.incidents.org