windows network security
Post on 18-May-2015
2.594 Views
Preview:
TRANSCRIPT
Securing Windows NetworksSecurity Advice From The Front LineSecurity Advice From The Front Line
Presented by Robert Hensing – PSS Security Incident Response SpecialistPresented by Robert Hensing – PSS Security Incident Response Specialist
Agenda
Revealing Hacker Personas Top Security Mistakes Everyone Seems
To Make Securing Windows Networks Staying Secure Secure Windows Initiative Security Improvements in XP Service
Pack 2
Revealing Hacker Personas
Overview – Revealing Hackers Personas
Automated vs. Targeted Attacks Revealing Hacker Personas
Lame Skilled Sophisticated
Why YOU Were Selected and How You Got 0wn3d
Hacker Personas
Automated Attacks “Spreaders” or “Scan’n Sploit Tools” or “auto-
rooters” Worms That Drop Bots or Trojans
Targeted Attacks 0-day Exploits Custom Attacks that Exploit Weakness of
Your Internet Presence
Hacker Personas
Lame - ~75% of all intrusions Motive: Wants your storage and bandwidth Method: Use of spreaders, bots, well known
exploits Abilities: Limited high level language ability Payload: Usually FTP servers, backdoors
disguised as a ‘clever’ service name “TCP/IP” service or “System Security” service “Microsoft ISA Server Common Files” service
Hacker Personas
Skilled - ~24% of all intrusions? Motive: Wants to explore your network and
use your storage and bandwidth, wants to avoid discovery as much as possible.
Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications
Abilities: Advanced HLL, some ASM Payload: FTP servers, keyloggers,
backdoors, sniffers, password dumpers
Hacker Personas
Sophisticated - < 1% of all intrusions? Motive: Wants your money or your secret /
confidential data Method: Can customize intrusion based on
any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits
Abilities: Advanced HLL, Advanced ASM Payload: Rootkits, a single backdoor DLL,
extortion letter!
Hacker Personas
Why you were selected and how you got 0wn3d . . . Odds are great you were 0wn3d by a lamer You were easily identified as a Windows host
through a simple port-scan (no firewall) You are on a big fat pipe (possibly hosted) You have weak passwords or missing security
patches due to missing or ineffective security policy
Demonstration
Windows Rootkit – Hacker DefenderWindows Rootkit – Hacker Defender
Top Security Mistakes Everyone Seems To Make
Top Security Mistakes Weak or non-existent password policy No audit policy Sporadic security patch policy Patching the OS, but not the apps Weak or non-existent firewall policy
No egress filtering No knowledge of securely building a new
box which leads to Hacked? Rebuild! Hacked Again!?
How To End The Cycle of Violence Install from slipstreamed source
Don’t have one? Make one! Patch or enable a host based firewall (or both)
and then connect to the network Don’t use the previous admin password
Including the SQL SA password Don’t share local admin passwords across OS
installations Leads to exploit once, run everywhere
Patch the applications (SQL, IIS, Exchange etc.)
Securing Windows Networks
Overview – Securing Windows Networks System Administrator Personas An example of what not to do Threats & Countermeasures – Pruning
The Low Hanging Fruit
System Admin Personas
Default Skilled Sophisticated
System Admin Personas
Default Puts servers right on the Internet with no
firewall Runs a couple service packs behind (N-2) and
doesn’t know how to keep up to date with security patches
No password policy No audit policy All default configurations and settings (all
defaults, all the time)
System Admin Personas
Skilled Uses Internet IP’s, but has router ACL’s Latest OS SP, all OS critical updates, hasn’t
patched the applications in a while if at all 6 character passwords with account lockouts Only audits logon events and monitors for
account lockouts by checking event logs periodically
Suspicious of default settings Performed some OS hardening by hand – didn’t
harden the applications though
System Admin Personas Sophisticated
Uses a firewall with NAT and ingress / egress filtering
Uses an IDS / IPS in the DMZ network Ensures critical security patches tested and
deployed in 24 hours with rollback plan 12 character passwords, not shared anywhere,
no account lockout, may use 2-factor authN Audits everything, archives audit logs daily Hardened OS using security templates / group
policy, hardened applications
What Not To Do . . . Configure your system with an Internet
routable IP address Run multiple applications / services on one
box Active Directory, IIS, SQL, Exchange,
PCAnywhere, 3rd party software Avoid installing patches Don’t have a password policy
What are the odds that someone would guess ‘666’ is my admin password?
If you do this, here’s what the hackers see . . .
Threats – Low Hanging FruitOverview NULL Session Enumeration Password / Account Lockout Attacks Password Hash Attacks Remote Code Execution Vulnerabilities Physical Attacks Unauthorized Network Access The VPN “firewall bypass” Server
Threat - NULL Session Enumeration Understanding the ‘NULL’ user
Network connection, usually using NetBIOS TCP139 in which no credentials have been passed.
Network token gets created on the server for the client, ‘Everyone’ SID gets added to the token Token can now enumerate sensitive information
using the Net* API’s the ‘Everyone’ SID has permissions to!
Countermeasures RestrictAnonymous=2 Block access to TCP 139/445 Stop server service
Threat – Password Attacks / Account Lockout Attacks Any services that exposes authN protocols are
at risk for password guessing attacks NetBIOS, SMB, RDP, IIS, FTP etc.
Countermeasures Use strong passwords instead of an account lockout
policy (which only protects weak passwords) Educate administrators and users on how to create strong
passwords. Block access to ports that allow authentication from
unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy
Shutdown un-needed services (Server service, FTP service etc.)
Threat – Password Hash Attacks Online attacks
Dumping password hashes from LSASS while the operating system is running Pwdump*.exe, L0phtCrack 5
Countermeasure Require 2-factor authentication Prevent malicious code from running in
context of administrator or SYSTEM Since this attack requires elevated privileges, any
steps taken to counter this can be un-done by the code running with these elevated privileges
Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with
Threat – Password Hash Attacks Man In the Middle Attacks
Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos) Everyone seems to think Kerberos solved the
MITM password-cracking attack! It did not, per the Kerberos v5 RFC: "Password guessing" attacks are not solved by Kerberos. If
a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password.
Threat – Password Hash Attacks Man In the Middle Attacks
Tools available for LM/NTLM and Kerberos v5 ScoopLM / BeatLM / Kerbcrack / LC5
Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002!
All researchers agree the solution is strong passwords!
Countermeasures Use 2-factor authentication on Windows 2000 and later networks
Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon
Use strong 10 character or greater passwords Use IPSec ESP to encrypt network all network traffic Use 802.1x authentication to keep rogue users off your network
Threat – Password Hash Attacks Assume password hashes will eventually be obtained
allowing Brute-force attacks Dictionary attacks
Hybrid attacks (use a dictionary word then brute-force a few chars) Pre-computation attacks (rainbow tables) – the latest craze . . .
L0phtCrack5 utilizes all these methods for cracking hashes
Countermeasures Don’t worry about your hashes being stolen – make them
immune to reversing in any reasonable amount of time! Use 10 character or stronger complex passwords
Or better yet pass-phrases! NT based operating systems support 128 character pass-phrases
Change them every 60 days or less. Minimum time before password can be changed 1 day Number of previous passwords remembered: at least 24
Subsecond
Subsecond
Subsecond
1.4 Hours
137 Days
1,878 Years
Tim
e to
Cra
ck (
Day
s)
RainbowCrack Password Cracking Effort vs Password Length
Threat – Password Hash Attacks
6 7 8 9 10 11Password Length
60
Day P
ass
word
s
Data from Microsoft calculations based on Phillipe Ochslin’s algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).
Threat – Password Hash Attacks
Threat - Remote Code Execution RCE vulnerabilities in exposed network services allow
malicious attackers to run code of their choice on a remote system Stack & Heap overflows Integer under/overflows Format string vulnerabilities
Countermeasures
Disable unnecessary services
Block unnecessary ports
Install all critical security updates within 24 hours
Write secure code.
Run critical services using the new built-in low-privileged accounts
Compile C++ code with the VC7 compiler /GS switch
Use behavioral blocking software Sana Security Products
Use Intrusion Prevention Systems
Threat – Physical Attacks Assume the worst – physical theft of
machine Countermeasures
SYSKEY in mode 2 or 3 Key stored in your head (mode 2) Key stored on a floppy (mode 3)
Protects password hashes with 128 bit symmetric encryption
Either mode prevents ‘Nordahl’ boot-disk attack Also prevents the DS Restore mode style attacks
EFS Can be used to encrypt sensitive information
Threat – Unauthorized Network Access Applies to both wired and wireless
networks Unauthorized user connects or associates
with network and receives IP address Starts scanning, enumerating and hacking
Countermeasure Use 802.1x to authenticate network clients
before allowing them to use the network Port-based authentication (requires
supporting hardware infrastructure)
Threat – VPN Servers VPN servers usually allow users un-
filtered access to the corporate intranet Users contaminate the intranet with
malware they’ve collected while surfing the Internet (worms, etc.)
Countermeasure Employ a network quarantine solution
Quarantines VPN users in a DMZ network while machine is checked for security policy compliance
After machine checks, packets are routed If machine fails check, connection is dropped
Countermeasures - Summary The vast majority of security threats can be fully
mitigated by doing two things well: Passwords Security updates
Security should not be ‘bolted on’ Design security into the solution from the beginning
Microsoft Solutions for Security Review the new Security Guidance Center
http://www.microsoft.com/security/guidance/default.mspx
Windows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx
Windows 2000 Solution for Securing Windows 2000 Serverhttp://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 Covers environments running Win9x and later! This is our best solution for securing Windows networks!
Windows Server 2003 Security Guide Theme
Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of pre-defined security templates applied to GPO’s
Automated – policy applied as machines join the domain / moved into organizational units
The Windows 2000 and Windows Server 2003 Solutions for Security come with pre-configured ready to deploy templates Obviously you should test them before
deploying them in a production environment They WILL break something
Windows Server 2003 Security Guide
Provides 3 different security levels for the enterprise Legacy Client (Compatible with Win9x – XP) Enterprise Client (Compatible with 2000 & XP
only) High Security Client (Compatible with 2000 &
XP only)
Demonstration
Securing Windows Servers using Group PolicySecuring Windows Servers using Group Policy
Staying Secure
Overview – Staying Secure
Awareness Security Alert Notification Services Vulnerability Assessment
Responding to Security Events Patch Warfare – Thursday, Tutorial 6 Incident Response – Thursday, Tutorial 6
Staying Secure
Security Alert Notification Service Get e-mail alerts of Microsoft security bulletins
for all Microsoft products Plain-text e-mail, PGP signed with the MSRC
PGP key http://www.microsoft.com/security/security_bul
letins/alerts2.asp
Staying Secure
Vulnerability Assessment Microsoft Baseline Security Analyzer 1.2 Local or Remote Vulnerability & Patch
scanner Scans for Windows, IE, IIS, SQL, MSDE,
Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches. English, German, French or Japanese builds!
Staying Secure
MBSA Pro’s and Con’s Pro’s
Free Great product coverage Agent-less
Con’s Requires Authentication with remote machine and
the Remote Registry and Server Services Slow when scanning large networks No easy way to aggregate XML output
Staying Secure
3rd Party vulnerability assessment software ISS Internet Scanner – System Scanner Foundstone FoundScan
Much more in-depth than MBSA 1.2
Secure Windows Initiative
Secure Windows Initiative
Microsoft’s New Security Culture Started with Bill Gates Trustworthy Computing
Memo Lead to SD3+C
Secure By Design, Secure By Default, Secure in Deployment + Communications
Secure Windows Initiative Windows Server 2003 first product to result from
SWI, makes use of many Attack Surface Reductions (ASR’s)
Secure by DefaultSecure by DefaultSecure by DefaultSecure by Default► 60% less attack
surface area by default compared to Windows NT 4.0 SP3
► Services off by default► Services run at lower
privilege
► 60% less attack surface area by default compared to Windows NT 4.0 SP3
► Services off by default► Services run at lower
privilege
► Code reviews► IIS re-architecture► Threat models► $200M investment
► Code reviews► IIS re-architecture► Threat models► $200M investment
Secure by DesignSecure by DesignSecure by DesignSecure by Design
CommunicationsCommunicationsCommunicationsCommunicationsSecure by DesignSecure by DesignSecure by DesignSecure by Design► Code reviewsCode reviews► IIS re-architectureIIS re-architecture► Threat modelsThreat models► $200M investment$200M investment
► Code reviewsCode reviews► IIS re-architectureIIS re-architecture► Threat modelsThreat models► $200M investment$200M investment
Secure in Secure in DeploymentDeploymentSecure in Secure in DeploymentDeployment► Configuration
automation► Identity management► Monitoring
infrastructure► Prescriptive guidance
► Configuration automation
► Identity management► Monitoring
infrastructure► Prescriptive guidance
► Community investment
► Architecture webcasts
► Writing Secure Code 2.0
► Community investment
► Architecture webcasts
► Writing Secure Code 2.0
Secure Windows Initiative SD3+C
Secure Windows Initiative Does SWI work? Let’s have a look . . . MS03-007, vulnerability exploited through
IIS 5.0 + WebDAV WS2003 / IIS 6 not affected because:
IIS6 not installed by default If it was installed, WebDAV disabled by default
If it was enabled, IIS6 rejects long URL’s by default If it didn’t reject long URL’s, BO would occur in low
privilege process not a process running as SYSTEM
Secure Windows Initiative
Are there other examples? MS04-011, fixes 14 Windows vulnerabilities Of these 14 vulnerabilities the LSASS and
PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!
Secure Windows Initiative
These vulnerabilities were rated as ‘Low’ on Windows Server 2003 – why? Attack Surface Reductions (ASR’s) as a result
of SWI PCT is not enabled by default! LSASS vulnerability not remotely exploitable by
default!
Secure Windows Initiative
Want more? Coming soon: Secure Server Roles for Windows Server
2003 Task based security wizard to further automate
hardening WS2003 server roles Windows XP Service Pack 2
The most secure consumer operating system to date!
Security Improvements in XP Service Pack 2
Security Improvements in XP SP2
Overview Network Protection Technologies Memory Protection Technologies Safer E-Mail Safer Browsing Windows Installer 3.0
Network Protection Technologies
Alerter & Messenger – GONE! (Okay, disabled) Universal Plug & Play also disabled by default
Bluetooth network stack included by default Disabled unless WHQL Bluetooth device is
present
Network Protection Technologies
DCOM – Locked down by default! Previously, no way for administrators to enforce
machine-wide access policy for all DCOM applications XP has over 150 DCOM servers OOB! Many DCOM applications have weak “Launch” and
“Access” permissions that allow anonymous remote activation / access!
Administrators had no way to centrally manage / override these settings!
Network Protection Technologies DCOM Solution: Machine-wide access check
performed before any server-specific access checks are performed. Starting with XP SP2, only administrators can
remotely launch / activate DCOM servers! Everyone is granted local launch, activation and
call permissions
Network Protection Technologies
RPC – Locked down by default (RPC Interface Restriction) Previously RPC interfaces were wide open for
anonymous access SP2 adds RestrictRemoteClients setting and
enables it by default Requires all remote RPC clients to authenticate
The EPM now requires AuthN Must set EnableAuthEpResolution to 1 on clients to
get the EPM working again.
Network Protection Technologies Windows Firewall (the software formerly known as ICF)
Boot time security On by default for all interfaces, global configuration (all interfaces
can share same configuration) Local subnet restriction Command line support (via netsh) for scriptomatic configuration
(think logon scripts) “On with no exceptions” Exception List Multiple Profiles RPC Support Restore Defaults Unattended Setup for OEM’s Multicast / Broadcast support New and improved Group Policy configuration (via System.adm)
Memory Protection Technologies Introducing Data Execution Protection (NX)
Buffer overflows usually place ‘shellcode’ on the stack or in the heap and cause execution to jump to this location
NX marks areas of the stack / heap as non-executable preventing this mal-code from running Usermode apps that attempt to run code will AV Kernelmode drivers that attempt to run code will
bluescreen Supported on AMD64, IA64 and forthcoming
x64 Intel CPU’s for both 32bit and 64bit Windows XP
Memory Protection Technologies
/GS Stack based buffer overflow protection Places ‘canary’ value on the stack before /
after stack allocations Value is checked when values are read from
the stack to make sure the stack hasn’t been overwritten
If canary value has changed, process crashes vs. allowing code to execute
Safer E-Mail Outlook Express will read all e-mail as plain-
text by default Blocks HTML e-mail exploits
“Don’t download external HTML content If you chose to render HTML e-mail, external HTML
is not rendered / downloaded Blocks “web bugs” etc.
AES API (Attachment Execution Service) Apps no longer have to roll their own attachment
handling code (can be shared by IM, e-mail etc)
Safer Browsing Internet Explorer
Add-On Management / Crash Protection Binary Behaviors locked down now
Option appears in each zone for configuring
BindToObject mitigation ActiveX security model now applied to URL binding
Microsoft Java VM can be disabled per zone Local Machine Zone lockdown
All local files / content processed by IE run in LMZ No ActiveX objects allowed Scripts set to Prompt Binary Behaviors – disallowed No Java!
Safer Browsing
Internet Explorer Improved MIME handling
4 different checks performed (file extension, Content-Type/Disposition from header and MIME sniff)
Object caching / Scope Objects lose scope when browsing to a different domain
/FQDN Sites can no longer access cached objects from other sites
POP UP BLOCKER!!!!! “Never trust content from Publishername” One Prompt Per Control Per Page
Endless loop attack
Safer Browsing
Internet Explorer Authenticode Dialog box supports ellipses
Annoying Active X controls with overly long descriptions can now be viewed
Window Restrictions Prevents UI spoofing attacks
Script Sizing / Repositioning restrictions Prevents scripts from moving windows to hide URL bars /
status bars etc Status bar always visible
Scripts can no longer disable it
Safer Browsing
Internet Explorer Script Pop-up Window Placement, pop-ups now
constrained so that they Do not extend above the top or below the bottom of the
parent Internet Explorer Web Object Control (WebOC) window.
Are smaller in height than the parent WebOC window. Overlap the parent window horizontally. Stay with the parent window if the parent window moves. Appear above its parent so other windows (such as a dialog
box) cannot be hidden. Mitigates chromeless window attacks
Safer Browsing
Internet Explorer Zone Elevation blocks
Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL Scripts can not navigate from Internet Zone to Local
Machine Zone AND Local Machine Zone is locked down by default now
even if it could happen! Zone Elevation Attacks are one of the most
exploited IE attack vectors
Windows Installer 3.0 SUS 2.0 will utilize MSI 3.0 Improved inventory functions across user and
installation contexts Support for binary delta compression
Makes patches smaller / quicker to download
Patch Sequencing Authors can provide explicit installation order
Supports WinHTTP (vs. WinInet) for web downloads No longer interactive
Runs as SYSTEM, Interactive SYSTEM services can be “shattered”
Demonstration (time permitting)Out of Box ExperienceAutomatic UpdatesSecurity CenterWindows FirewallRPC HardeningInternet Explorer Add-ons Manager
Out of Box ExperienceAutomatic UpdatesSecurity CenterWindows FirewallRPC HardeningInternet Explorer Add-ons Manager
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
So are we there yet?So are we there yet?So are we there yet?So are we there yet?
We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .
top related