530 likes | 801 Views
OSP201. The Ten Immutable Laws of Microsoft SharePoint Security. Rick Taylor Senior Technical Architect PERFICIENT. Who am I???. Who Am I?. The Pleasurable. The Powerful. The Guardian of Lost Souls. The Indestructible. Rick Taylor. Slick Rick – if you’re nasty. Agenda.
E N D
OSP201 The Ten Immutable Laws of Microsoft SharePoint Security Rick Taylor Senior Technical Architect PERFICIENT
Who am I??? Who Am I? The Pleasurable The Powerful The Guardian of Lost Souls The Indestructible Rick Taylor Slick Rick – if you’re nasty
Agenda • The OSI Model • Attack Surfaces • Best Practices at securing each layer
What’s the point? • Security is more than just AuthN/AuthZ • Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) ) • In Security, the WHY is more important than the HOW
A Word about Security • Security and complexity are often inversely proportional. • Security and usability are often inversely proportional. • Security is an investment, not an expense. • "Good enough" security now, is better than "perfect" security ...never • There is no such thing as "complete security" in a usable system. • A false sense of security is worse than a true sense of insecurity. • Your absolute security is only as strong as your weakest link. • Concentrate on known, probable threats. • Security is directly related to the education and ethics of your users. • Security is not a static end state, it is an interactive process. • There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished. • You only get to pick two: fast, secure, cheap. • In the absence of other factors, always use the most secure options available. • Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done.
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
What is Layer 1 • Defines electrical and physical specifications • Defines relationship between a device and its medium (Copper, optical, radio, etc)
Layer 1 Attack Surfaces • The medium • Cable • Air • The host • Via Keyboard • Via conduit (RDP host)
Securing Layer 1 - continued • Locks • Cages
LAW #2 - If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
What is Layer 2? How data is transferred from node to node across a network. • Sublayers • Media Access Control (MAC) • Logical Link Control (LLC) • Application Protocol Convergence (APC) • Protocols • ARP • PPP
Layer 2 Attack Surfaces • Wireless Access Points • Wardriving • Hubs • Broadcasting (rare) • Switches (ARP) • Man-in-the-Middle Attacks
Securing Layer 2 • Wireless Networks • Sniffers • ARP flooding
Securing Layer 2 - continued • Strong passwords on wireless routers • Strong encryption on wireless networks • Use ARP Defense software/hardware • Use DHCP Snooping • Track the physical location of hosts. • Ensure that hosts only use the IP addresses assigned to them. • Ensure that only authorized DHCP servers are accessible.
Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone
What is Layer 3? • Performs network routing functions • 3 sublayers: • Subnetwork Access • Subnetwork Dependent Convergence • Subnetwork Independent Convergence • Protocols • IP • Services • ICMP
Layer 3 Attack Surfaces • Unused Open Ports • Commonly Open Ports • Packet inspection
Benefits of IPsec IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network • IPsec has two goals: to protect IP packets and to defend against network attacks • Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other • IPsec secures network traffic by using encryption and data signing • An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated
Securing Layer 3 • Prevent ICMP abuse • DDoS • Add “no ip directed-broadcast” to the router (Smurf bounce) • Drop (disable) ICMP - *maybe* to prevent malware from “Phoning Home” • Use IPSec • Use Network Policy Processing
START Yes No Go to next policy Does connection attempt match policy conditions? Are there policies to process? No Yes Yes Is the remote access permission for the user account set to Deny Access? No Reject connection attempt Yes No Reject connection attempt Is the remote access permission for the user account set to Allow Access? Is the remote access permission on the policy set to Deny remote access permission? No Yes Accept connection attempt Yes No Does the connection attempt match the user object and profile settings? Network Policy Processing
Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore
What is Layer 4? • Responsible for reliable communication between endpoints • Protocols • Connection-Oriented • TCP • Connectionless • UDP
Layer 4 Attack Surfaces • The operating system (OS Fingerprinting)
Securing Layer 4 • Use routers between network segments • Use private IP addresses on internal network • Use SSL • PEN test your network • Enable “Fingerprint Scrubbing” on routers
Securing Layer 4 - continued • Alter the OS kernel • Change the default IP time-to-live • Change the initial TCP window size • Modify network-related registry entries
Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more
What is Layer 5? • Responsible for connections between hosts • Establish, Manage, Termination • Checkpointing • Protocols • Remote Procedure Calls (RPC)
Layer 5 Attack Surfaces • Session hijacking • DNS Poisoning • DDoS
Quick Test • Step 1 Browse to http://bad.ketil.froyn.name/ • Step 2 Browse to http://www.example.com • If you see a link to RFC 2606 you are safe. • If you see a page saying POISONED…update your resume…jk
Securing Layer 5 • Choose your authentication protocols wisely • Less secure protocols maybe be tunneled through more secure protocols • Configure DNS correctly • Specify IP address of authorized DNS servers
What is Layer 6? • Presentation = Translation • Responsible for representing data in different formats • Responsible for serialization of objects to and from XML
Layer 6 Attack Surfaces • NetBIOS • SMB • IPC$
Securing Layer 6 • Lock down Null Session capability • For Clients: • HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous • 0 – Default setting. • 1 – Null session can not be used to enumerate shares or user names • For Servers • HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous • 0 – Default setting. Null sessions can be used to enumerate shares • 1 – Null sessions can not be used to enumerate shares • HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM • 0 – Null sessions can enumerate user names • 1 – Default setting. Null sessions can not enumerate user names
Law #6: Absolute anonymity isn't practical, in real life or on the Web
What is Layer 7? • Top layer of OSI model • Interfaces directly with applications and their processes. • Most of us focus primarily (if not exclusively) at this layer
Layer 7 Attack Surfaces • DNS • FTP • SMTP • Telnet • SQL • Etc, etc, etc
Securing Layer 7 • Use GPO policies to block software installation • Use GPO policies to prevent misuse of accounts • Use NAP to enforce access policies • Use IPSec to secure host to host and host to server communications • Follow Best Practices for securing service accounts
Law #8: A computer is only as secure as the administrator is trustworthy • Service Accounts • Farm • Setup • Application Pool • SQL
SharePoint Service Accounts • SQL Server Service Account • SharePoint Setup User Account • SharePoint Farm Service Account
SharePoint Service Accounts • Fewest is best • Least Privilege is best • Some rights will change (and not all are “Service” accounts)
Law #9: Your infrastructure is as strong as your weakest link
10 Immutable Laws of Security Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyoneLaw #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the Web Law #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest linkLaw #10: Technology is not a panacea
Thank you for attending! Please be sure to fill out your session evaluation!
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn