190 likes | 305 Views
Securing Windows Networking. Risk Analysis & Access Control. Topics. Risk Analysis Mapping Your Network Services Understanding Your Traffic Controlling Network Access Access Control Restricting Physical Access Account Management Questions. Risk Analysis. Mapping Your Network Services
E N D
Securing Windows Networking Risk Analysis & Access Control
Topics • Risk Analysis • Mapping Your Network Services • Understanding Your Traffic • Controlling Network Access • Access Control • Restricting Physical Access • Account Management • Questions
Risk Analysis • Mapping Your Network Services • Logical Diagram • IP addresses of all devices • Physical Location • Networks/Masks • Identify Ingress/Egress points • Identify Critical Services • Living Document
Risk Analysis • Mapping Your Network Services (cont.) • Services List • All services, by subnetwork • All services that cross subnetwork boundaries • What does it look like now? • Request NERDC scanning service to provide an external view • Use port scanner to provide internal view
Risk Analysis • Understanding your traffic • NBTstat • Netstat • SMS Network Monitor • Collect traffic sample from each subnetwork • Determine protocol distribution (IP, IPX, ARP, BPDUs, etc.) • Note IP addresses, services • Reevaluate periodically
Risk Analysis • Controlling Network Access • Convert shared media to switched • Separate servers from workstations by placing them in different subnetworks • Restrict management access of network hardware to trusted network or addresses
Risk Analysis • Controlling Network Access (cont.) • Disable IP source-routing on routers • Make sure RIP routing is disabled on systems with RRAS • Use TCP/IP Advanced Security
Risk Analysis • Controlling Network Access (cont.) • Use router access lists to filter outbound traffic from each subnetwork, at a minimum: • NetBus (t-12345/12346), Back Orifice (u-31337), NetBus Pro (t-20034) • ICMP types 9 & 10 (IRDP) • Proper Source Addresses
Risk Analysis • Controlling Network Access (cont.) • Use router access lists to filter inbound traffic at the peering point, at a minimum: • No packets sourced with internal addresses • NetBus (t-12345/12346), Back Orifice (u-31337), NetBus Pro (t-20034) • ICMP types 9 & 10 (IRDP) • ICMP to any internal broadcast addresses • SNMP, if appropriate
Access Control • Controlling Physical Access • Critical Systems • Secure behind a locked door • Lockable cases • Backup power • Backup solution w/central storage • Use BIOS passwords • Disable floppy boot
Access Control • Controlling Physical Access (cont.) • Critical Systems (cont.) • Use password protected screensaver whenever unattended • Secure network connection • NT caches credentials of last 10 users • MAC address locking • No uncontrolled modems
Access Control • Account Management • Use Strong Passwords • Password Filtering - PASSFILT.DLL • minimum length • character class restrictions • no name or full name • policy customizable • Avoid Clear-Text Passwords • Use Only Windows NT as a client
Access Control • Account Management • Define Strong Account Policy • Maximum Age - 180 days or less • Minimum Age - 5 days or more • Minimum Length - 6 characters or more • Uniqueness - Last 36, or (Age-max/Age-min) • Account Lockout - 5 bad attempts within 30 min • Lockout Period - 30 minutes or more
Access Control • Account Management (cont.) • Define Strong Account Policy (cont.) • User must logon to change password • Use logon hours • Forcibly disconnect users, if appropriate • Restrict User Rights • Access this computer from network • Log on locally - admin only • Manage auditing and security log - admin only
Access Control • Account Management (cont.) • Restrict User Rights (cont.) • Take ownership of files/objects - admin only • Change system time - admin only if possible • Force shutdown from remote system • Shutdown locally, what’s appropriate?
Access Control • Account Management (cont.) • Special Accounts • Administrator - Change name • Create dummy administrator account, monitor • Guest Account - Disable • Use dedicated service accounts • Monitor unusual behavior in IUSR_ accounts
Access Control • Account Management (cont.) • Winlogon Considerations • Use logon banners which state at a minimum: • Logon is restricted to authorized users only • All subsequent actions are subject to audit • Edit HKLM\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\Winlogon Registry Keys with notice • Hide the username of the last user • DontDisplayLastUserName (REG_SZ, 1) • Use roaming profiles