implementing advanced server and client security
DESCRIPTION
Implementing Advanced Server and Client Security. Sandeep Modhvadia Security Technical Specialist http://blogs.msdn.com/sandeepm [email protected]. Agenda. Windows Server 2003 Service Pack 1 2 years on! Windows XP Service Pack 2. What are the Goals of SP1?. Enhanced Security - PowerPoint PPT PresentationTRANSCRIPT
Implementing Advanced Server Implementing Advanced Server and Client Securityand Client Security
Sandeep ModhvadiaSandeep ModhvadiaSecurity Technical SpecialistSecurity Technical Specialisthttp://blogs.msdn.com/sandeepmhttp://blogs.msdn.com/[email protected]@microsoft.com
AgendaAgenda
Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 12 years on!2 years on!
Windows XP Service Pack 2Windows XP Service Pack 2
What are the Goals of SP1?What are the Goals of SP1?Enhanced SecurityEnhanced Security
reduced attack surfacereduced attack surfacenew security enhancementsnew security enhancements
Stronger Defaults and privilege reduction on servicesStronger Defaults and privilege reduction on servicesRPCRPCDCOMDCOM
Support for no execute hardwareSupport for no execute hardwareIntelIntelAMDAMD
Windows Firewall Windows Firewall Enabled for new install scenariosEnabled for new install scenarios
Provide a Security Configuration Wizard to assist IT AdminsProvide a Security Configuration Wizard to assist IT Admins Role-based configuration and lockdownRole-based configuration and lockdown
VPN QuarantineVPN QuarantineClient inspectionClient inspectionFix-upFix-upIsolationIsolation
IIS 6.0 metabase auditingIIS 6.0 metabase auditingEnhanced ReliabilityEnhanced ReliabilityEnhanced PerformanceEnhanced Performance
10%+ improvement in TPC, TPC-H, SAP, SSL, etc.10%+ improvement in TPC, TPC-H, SAP, SSL, etc.
SP1 Security Features and EnhancementsSP1 Security Features and Enhancements
Relevant XP SP2 enhancementsRelevant XP SP2 enhancementsRPC, DCOM lockdownRPC, DCOM lockdown
Windows FirewallWindows Firewall
Post-Setup Security UpdatesPost-Setup Security Updates
Boot-time network protection for clean installsBoot-time network protection for clean installs
Security Configuration WizardSecurity Configuration Wizard
Base 64-bit extension systemBase 64-bit extension system
Windows Firewall/RPCWindows Firewall/RPCGoals and customer benefitGoals and customer benefit
Provide by default better protection from network attacksProvide by default better protection from network attacksFocus on role-based server configurationFocus on role-based server configuration
What we’re doingWhat we’re doingWindows Firewall (formerly ICF) will be on by default in almost all Windows Firewall (formerly ICF) will be on by default in almost all configurations utilizing the Security Configuration Wizardconfigurations utilizing the Security Configuration WizardMore configuration optionsMore configuration options
Group policy, command line, unattended setupGroup policy, command line, unattended setupBetter user interfaceBetter user interface
Boot time protectionBoot time protectionRestrict anonymous connections to DCOM/RPC interfacesRestrict anonymous connections to DCOM/RPC interfaces
Application impactApplication impactIn-bound network connections will not be permitted by defaultIn-bound network connections will not be permitted by defaultListening ports only open as long as the application is runningListening ports only open as long as the application is running
Post-Setup Security UpdatesPost-Setup Security Updates
A new feature designed to protect servers between first boot and A new feature designed to protect servers between first boot and application of most recent security updatesapplication of most recent security updates
Opens on first admin login if Windows Firewall was not explicitly Opens on first admin login if Windows Firewall was not explicitly enabled using unattend script or GPenabled using unattend script or GP
Blocks inbound connections until customer clicks “Finish” on PSSU Blocks inbound connections until customer clicks “Finish” on PSSU dialog boxdialog box
Security Configuration WizardSecurity Configuration Wizard
Guided Attack Surface Reduction for Windows ServersGuided Attack Surface Reduction for Windows ServersSecurity CoverageSecurity Coverage
Roles-Based MetaphorRoles-Based MetaphorDisables Unnecessary ServicesDisables Unnecessary ServicesDisables Unnecessary IIS Web ExtensionsDisables Unnecessary IIS Web ExtensionsBlocks unused Ports, inlcuding multi-homed scenariosBlocks unused Ports, inlcuding multi-homed scenariosHelps Secure Ports that are left open using IPSECHelps Secure Ports that are left open using IPSECReduces protocol exposure (LDAP, NTLM, SMB)Reduces protocol exposure (LDAP, NTLM, SMB)Configures Audit Setting with high Signal to Noise Configures Audit Setting with high Signal to Noise
Security for mere mortalsSecurity for mere mortalsRoles-based makes answering questions easyRoles-based makes answering questions easyAutomated versus Paper-Based GuidanceAutomated versus Paper-Based GuidanceFully tested and supported by MicrosoftFully tested and supported by Microsoft
SCWSCW
DemoDemo
What is SP2?What is SP2?
Post-SP1 hotfixes (more regression testing)Post-SP1 hotfixes (more regression testing)
New security technologiesNew security technologies
Network protectionMemory protectionSafer e-mail handlingMore secure browsingImproved computer maintenanceSome updated features
Windows Firewall enhancementsWindows Firewall enhancements
New and improved user interfaceNew and improved user interface
On by default for all network interfacesOn by default for all network interfaces
Provides boot-time securityProvides boot-time security
Global and per-interface configurationsGlobal and per-interface configurations
Exceptions list (can be disallowed)Exceptions list (can be disallowed)
Local subnet restrictionsLocal subnet restrictions
Command-line and better group policy managementCommand-line and better group policy management
Multiple profiles and RPC supportMultiple profiles and RPC support
Unattended setupUnattended setup
Command Line ControlCommand Line Control
C:\>netsh firewall showC:\>netsh firewall show
The following commands are available:The following commands are available:
Commands in this context:Commands in this context:show allowedprogram - Shows firewall allowed program configuration.show allowedprogram - Shows firewall allowed program configuration.show config - Shows firewall configuration.show config - Shows firewall configuration.show currentprofile - Shows current firewall profile.show currentprofile - Shows current firewall profile.show icmpsetting - Shows firewall ICMP configuration.show icmpsetting - Shows firewall ICMP configuration.show logging - Shows firewall logging configuration.show logging - Shows firewall logging configuration.show multicastbroadcastresponse - Shows firewall multicast/broadcast response coshow multicastbroadcastresponse - Shows firewall multicast/broadcast response configuration.nfiguration.show notifications - Shows firewall notification configuration.show notifications - Shows firewall notification configuration.show opmode - Shows firewall operational configuration.show opmode - Shows firewall operational configuration.show portopening - Shows firewall port configuration.show portopening - Shows firewall port configuration.show service - Shows firewall service configuration.show service - Shows firewall service configuration.show state - Shows current firewall state.show state - Shows current firewall state.
Windows Firewall DemoWindows Firewall Demo
Change of ScopeChange of Scope
Multiple Interface RulesMultiple Interface Rules
Application ExceptionsApplication Exceptions
Group PolicyGroup Policy
Internet ExplorerInternet Explorer
Window restrictionsWindow restrictionsWhatWhatis it?is it?
Scripts can’t position or resize windows with title and Scripts can’t position or resize windows with title and status bars offscreenstatus bars offscreen
Scripts can’t turn off status barScripts can’t turn off status bar
Script windows:Script windows:
Must fit between top and bottom of parentMust fit between top and bottom of parent
Overlap parent horizontallyOverlap parent horizontally
Move with parentMove with parent
Appear above parent so that other windows (like dialog Appear above parent so that other windows (like dialog boxes) can’t be hiddenboxes) can’t be hidden
WhyWhydo it?do it?
Eliminates windows that try to spoof desktop objectsEliminates windows that try to spoof desktop objects
Allows users to always see security zoneAllows users to always see security zone
Prevents overlaying of address barPrevents overlaying of address bar
Internet ExplorerInternet Explorer
Managing pop-upsManaging pop-ups
Client DemoClient Demo
Software Restriction PoliciesSoftware Restriction Policies
Data Execution PreventionData Execution Prevention