610 likes | 626 Views
SIM404. Hey, You! Get Off My Network! (Repeats on 5/19 at 8:30am). ERDAL OZKAYA Licensed Penetration Tester–MVP-MCT-CEI CEO IT TRAINING erdal@ceotraining.com.au Elias Mereb MVP-MCT
E N D
SIM404 Hey, You! Get Off My Network! (Repeats on 5/19 at 8:30am) ERDAL OZKAYA Licensed Penetration Tester–MVP-MCT-CEI CEO IT TRAINING erdal@ceotraining.com.au Elias Mereb MVP-MCT emereb@widetechconsulting.com
Agenda:Hack Proof Your Server Demo What is Penetration Testing Demo
Is Security Part of Your Job? Question
Think Again!!! Source: Demotivation
Best Practices to Keep Your Servers SAFE! Golden Rule! There is no way to STOP a Hacker, you can only make their job HARDER !
Sound familiar ? • Costs too much money! • Too complicated • Not worth the bother!! • My SIMPLE firewall protects me • We have got “A” Solution
Windows Server Core is Secure Because • There is no GUI shell • Reduced maintenance • Reduced attack surface area • Reduced management • Less disk space required to install
2. Use AppLocker • Replaces the Software Restriction Policies feature • AppLocker will reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs
3. Use Biometrics Server 2008 R2 enables administrators and users to use • Fingerprint biometric devices to log on to computers, • Grant elevation privileges through User Account Control (UAC) • Perform basic management of the fingerprint devices. • Manage fingerprint biometric devices in Group Policy settings by enabling, limiting, or blocking their use
4. Use Smart Cards Server 08 R2 make smart cards easier to use and to deploy, and makes it possible to use smart cards to complete a greater variety of tasks
5. Use Strong Passwords • Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances • Audit Passwords against English words; (Cain & Abel can do some of it) • Avoid too complex passwords ( for end users) • Train users to avoid simple English words • Remove LM Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at all
6. Use Service Accounts To enhance security while simplifying or eliminating password and Service Principal Name (SPN) management 1. Managed service account Is designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the SPNand credentials for these accounts 2. Virtual accounts Are "managed local accounts" that can use a computer's credentials to access network resources
7. User Account Control (UAC) • The access control model changed to help mitigate the impact of a malicious program; When a user attempts to start an administrator task or service, the UAC dialog box asks the user to click either Yes or No before the user's full administrator access token can be used Changes in Server 08 R2 are • Increase the number of tasks that the standard user can perform that do not prompt for administrator approval • Allow a user with administrator privileges to configure the UAC experience in the Control Panel • Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode • Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users
8. Windows Security Auditing With Server 08 R2 all auditing capabilities have been integrated with Group Policy Server R2 increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies New enhancements are • Global Object Access Auditing • "Reason for access" reporting • Advanced audit policy settings
9. Run Security Configuration Wizard (SCW) SCW guides you through the process of creating, editing, applying, or rolling back a security policy SCW benefits • disables unnecessary services • detects role dependencies • It provides hot links to get online help • Can be deployed via Group Policy
10. Use Windows Firewall Windows Firewall with Advanced Security is an advanced interface for IT professionals Windows Firewall with Advanced Security is not for home users
11. Disabling Insecure User Accounts In Windows 2008 server installation, two accounts are created by default • Administrator and Guest • Disable or rename admin account
12. Use BitLocker BitLocker Drive Encryption allows you to • Encrypt all data stored on the Windows operating system volume • configured data volumes, • by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components
13. Use Windows 2008 R2 NAP Network Access Protection monitors and assess the ‘health” of hosts in a network to determine their level of compliance to the configured health policy. NAP ensures that vulnerable/infected systems don’t become a launch pad for a more wide spread hacker/malicious code attack
14. Use Microsoft Baseline Security Analyzer MBSA is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems http://www.microsoft.com/mbsa
Social Engineering Explored • There is no method to ensure complete security from social engineering attacks • Its difficult to detect • Security policy's are strong as their weakest link, and humans are the most susceptible factor • There is no specific SOFTWARE or HARDWARE to defend against it
What Else Can You Do to Protect Your Servers? • Learn to look for weakness... • The old excuse is not an EXCUSE “It will never happen to me It’s the way we've always done it It’s standard practice throughout the company ….”
Microsoft Tools to Harden our Servers Security Compliance Manager is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor the security baselines of computers running Windows Server 2008 in your environment http://go.microsoft.com/fwlink/?LinkId=182512
SIR? Have You Met…
Microsoft Security Intelligence Report • The Security Intelligence Report (SIR) is an investigation of the current threat landscapeIt analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and three Microsoft Security Centers • http://www.microsoft.com/security/sir/
What Is Penetration Testing? • Testing the security of systems and architectures from a hacker’s point of view • A “simulated attack” with a predetermined goal. • It is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy. • It is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.
ROSI • Reduce the IT Security costs & provide a better Return On IT Security Investment (ROSI) by identifying & resolving vulnerabilities and weakness
Comprehensive Assessment • Pen Testing will assure the organization that all • Policy • Procedure • Design & Implementation has been assets
Process Best Practice for legal & industry regulations approach • ISMS PDCA example Interested Parties Information security requirements and expectations Interested Parties Managed information security Plan Establish an ISMS Act Do Implement the ISMS Maintain and Improve the ISMS Monitor and review the ISMS Check
Gain & maintain certification • Information Security Management Systems • Like ISO 27001 • BS7799 • HIPPAA ( Privacy certification for Health Insurance Portability and Accountability ) • etc.
What Should be Tested? • A risk assessment should be conducted to identify main threats, such us: • Communications – E-Commerce & loss of confidential information failure • Public facing systems, websites, e-mail gateways & remote platforms • Mail, DNS, firewall, passwords, FTP, IIS & other web servers
Access Points to Your Network • Internet gateways • Modems • Wireless Networks • Physical entry • Social Engineering
What Makes a Good Penetration Test? • Establish the parameters for the pen-test such us: Objectives ,Limitations & justification of procedures • Choose suitable set of tests that balance cost & benefits • Following a methodology with proper planning & documentation • Stating all the results clearly in the final report
Penetration Testing Is Not… • An alternative to other IT security measures – it complements other tests • Expensive game of Capture the Flag • A guarantee of security • It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Hacking Methodology (Steps) Footprinting Scanning Enumeration Gaining Access Escalating Privilege Pilferting Covering Tracks Creating Back Doors Denial of Service whois, nslookup GFILan \nmap rpcinfo Tcpdump Johntheripper Config files, registry rootkits keystroke logger remote desktop Ping of death
Limitations • It’s only valid for the period tested • Time to perform
External Testing Involves analysis of publicly available information a network enumeration phase, and the behaviour of the security devices analysed Types of Penetration Testing Internal Testing Will be performed from a number of network access points , representing each logical & physical segment
Phases of Pen Testing • Pre- Attack Phase • Attack Phase • Post Attack Phase
Pre- Attack Phase • Goals of the attack will be defined Reconnaissance Refers to phase where attacker gathers as much information as possible (Learn About Target) • Passive Reconnaissance • Hacker does not interact with the system directly • Use publicly available info * Social Engineering ,Dumpster Diving 2. Active Reconnaissance • Open ports ,Router locations ,Network mapping, Details of O/S & apps
Attack Phase • Penetrate Perimeter • Acquire Target • Execute, Implant Retract • Escalate Privilege