资源描述
Click to edit Title Slide,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,Securing Windows Networks,Security Advice From The Front Line,Presented by Robert Hensing PSS Security Incident Response Specialist,微快车微信营销,Agenda,Revealing Hacker Personas,Top Security Mistakes,Everyone,Seems To Make,Securing Windows Networks,Staying Secure,Secure Windows Initiative,Security Improvements in XP Service Pack 2,Revealing Hacker Personas,Overview Revealing Hackers Personas,Automated vs. Targeted Attacks,Revealing Hacker Personas,Lame,Skilled,Sophisticated,Why YOU Were Selected and How You Got 0wn3d,Hacker Personas,Automated Attacks,“Spreaders” or “Scann Sploit Tools” or “auto-rooters”,Worms That Drop Bots or Trojans,Targeted Attacks,0-day Exploits,Custom Attacks that Exploit Weakness of Your Internet Presence,Hacker Personas,Lame - 75% of all intrusions,Motive: Wants your storage and bandwidth,Method: Use of spreaders, bots, well known exploits,Abilities: Limited high level language ability,Payload: Usually , backdoors disguised as a clever service name,“TCP/IP” service or “System Security” service,“Microsoft ISA Server Common Files” service,Hacker Personas,Skilled - 24% of all intrusions?,Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as possible.,Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications,Abilities: Advanced HLL, some ASM,Payload: , keyloggers, backdoors, sniffers, password dumpers,Hacker Personas,Sophisticated - 1% of all intrusions?,Motive: Wants your money or your secret / confidential data,Method: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits,Abilities: Advanced HLL, Advanced ASM,Payload: Rootkits, a single backdoor DLL, extortion letter!,Hacker Personas,Why you were selected and how you got 0wn3d . . .,Odds are great you were 0wn3d by a lamer,You were easily identified as a Windows host through a simple port-scan (no firewall),You are on a big fat pipe (possibly hosted),You have weak passwords or missing security patches due to missing or ineffective security policy,Demonstration,Windows Rootkit Hacker Defender,Top Security Mistakes,Everyone,Seems To Make,Top Security Mistakes,Weak or non-existent password policy,No audit policy,Sporadic security patch policy,Patching the OS, but not the apps,Weak or non-existent firewall policy,No egress filtering,No knowledge of securely building a new box which leads to,Hacked? Rebuild! Hacked Again!?,How To End The Cycle of Violence,Install from slipstreamed source,Dont have one? Make one!,Patch or enable a host based firewall (or both) and,then,connect to the network,Dont use the previous admin password,Including the SQL SA password,Dont share local admin passwords across OS installations,Leads to exploit once, run everywhere,Patch the applications (SQL, IIS, Exchange etc.),Securing Windows Networks,Overview Securing Windows Networks,System Administrator Personas,An example of what,not,to do,Threats & Countermeasures Pruning The Low Hanging Fruit,System Admin Personas,Default,Skilled,Sophisticated,System Admin Personas,Default,Puts servers right on the Internet with no firewall,Runs a couple service packs behind (N-2) and doesnt know how to keep up to date with security patches,No password policy,No audit policy,All default configurations and settings (all defaults, all the time),System Admin Personas,Skilled,Uses Internet IPs, but has router ACLs,Latest OS SP, all OS critical updates, hasnt patched the applications in a while if at all,6 character passwords with account lockouts,Only audits logon events and monitors for account lockouts by checking event logs periodically,Suspicious of default settings,Performed some OS hardening by hand didnt harden the applications though,System Admin Personas,Sophisticated,Uses a firewall with NAT and ingress / egress filtering,Uses an IDS / IPS in the DMZ network,Ensures critical security patches tested and deployed in 24 hours with rollback plan,12 character passwords, not shared anywhere, no account lockout, may use 2-factor authN,Audits everything, archives audit logs daily,Hardened OS using security templates / group policy, hardened applications,What,Not,To Do . . .,Configure your system with an Internet routable IP address,Run multiple applications / services on one box,Active Directory, IIS, SQL, Exchange, PCAnywhere, 3,rd,party software,Avoid installing patches,Dont have a password policy,What are the odds that someone would guess 666 is my admin password?,If you do this, heres what the hackers see . . .,Threats Low Hanging Fruit,Overview,NULL Session Enumeration,Password / Account Lockout Attacks,Password Hash Attacks,Remote Code Execution Vulnerabilities,Physical Attacks,Unauthorized Network Access,The VPN “firewall bypass” Server,Threat - NULL Session Enumeration,Understanding the NULL user,Network connection, usually using NetBIOS TCP139 in which no credentials have been passed.,Network token gets created on the server for the client, Everyone SID gets added to the token,Token can now enumerate sensitive information using the,Net*,APIs the Everyone SID has permissions to!,Countermeasures,RestrictAnonymous=2,Block access to TCP 139/445,Stop server service,Threat Password Attacks / Account Lockout Attacks,Any services that exposes authN protocols are at risk for password guessing attacks,NetBIOS, SMB, RDP, IIS, .,Countermeasures,Use strong passwords instead of an account lockout policy (which only protects weak passwords),Educate,administrators,and,users,on how to create strong passwords.,Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy,Shutdown un-needed services (Server service, etc.),Threat Password Hash Attacks,Online attacks,Dumping password hashes from LSASS while the operating system is running,Pwdump*.exe, L0phtCrack 5,Countermeasure,Require 2-factor authentication,Prevent malicious code from running in context of administrator or SYSTEM,Since this attack requires elevated privileges, any steps taken to counter this can be un-done by the code running with these elevated privileges,Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with,Threat Password Hash Attacks,Man In the Middle Attacks,Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos),Everyone seems to think Kerberos solved the MITM password-cracking attack!,It did not, per the Kerberos v5,RFC,:,Password guessing attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the users password.,Threat Password Hash Attacks,Man In the Middle Attacks,Tools available for LM/NTLM and Kerberos v5,ScoopLM / BeatLM,/,Kerbcrack,/,LC5,Security Friday demonstrated,NTLMv2 at Blackhat,on a 16-node Beowolf cluster in 2002!,All researchers agree the solution is strong passwords!,Countermeasures,Use 2-factor authentication on Windows 2000 and later networks,Allows the use of the,PKINIT Kerberos extension,which replaces passwords with public/private keys for initial TGT at logon,Use strong 10 character or greater passwords,Use IPSec ESP to encrypt network all network traffic,Use,802.1x authentication,to keep rogue users off your network,Threat Password Hash Attacks,Assume password hashes will eventually be obtained allowing,Brute-force attacks,Dictionary attacks,Hybrid attacks (use a dictionary word then brute-force a few chars),Pre-computation attacks (,rainbow tables,) the latest craze . . .,L0phtCrack5 utilizes all these methods for cracking hashes,Countermeasures,Dont worry about your hashes being stolen make them immune to reversing in any reasonable amount of time!,Use 10 character or stronger,complex passwords,Or better yet pass-phrases!,NT based operating systems support 128 character pass-phrases,Change them every 60 days or less.,Minimum time before password can be changed 1 day,Number of previous passwords remembered: at least 24,Threat Password Hash Attacks,6,6,7,8,9,10,11,Password Length,60 Day Passwords,Data from Microsoft calculations based on Phillipe Ochslins algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).,Threat Password Hash Attacks,Threat - Remote Code Execution,RCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote system,Stack & Heap overflows,Integer under/overflows,Format string vulnerabilities,Countermeasures,Disable unnecessary services,Block unnecessary ports,Install all critical security updates within 24 hours,Write secure code,.,Run critical services using the new,built-in low-privileged accounts,Compile C+ code with the VC7 compiler /GS switch,Use behavioral blocking software,Sana Security Products,Use,Intrusion Prevention Systems,Threat Physical Attacks,Assume the worst physical theft of machine,Countermeasures,SYSKEY in mode 2 or 3,Key stored in your head (mode 2),Key stored on a floppy (mode 3),Protects password hashes with 128 bit symmetric encryption,Either mode prevents ,Nordahl boot-disk attack,Also prevents the DS Restore mode style attacks,EFS,Can be used to encrypt sensitive information,Threat Unauthorized Network Access,Applies to both wired and wireless networks,Unauthorized user connects or associates with network and receives IP address,Starts scanning, enumerating and hacking,Countermeasure,Use,802.1x,to authenticate network clients before allowing them to use the network,Port-based authentication (requires supporting hardware infrastructure),Threat VPN Servers,VPN servers usually allow users un-filtered access to the corporate intranet,Users contaminate the intranet with malware theyve collected while surfing the Internet (worms, etc.),Countermeasure,Employ a,network quarantine,solution,Quarantines VPN users in a DMZ network while machine is checked for security policy compliance,After machine checks, packets are routed,If machine fails check, connection is dropped,Countermeasures - Summary,The vast majority of security threats can be,fully,mitigated by doing two things well:,Passwords,Security updates,Security should not be bolted on,Design security into the solution from the beginning,Microsoft Solutions for Security,Review the new Security Guidance Center,Windows 2000 Security Hardening Guide,Windows 2000 Solution for Securing Windows 2000 Server,Windows Server 2003 Security Guide,Covers environments running Win9x and later!,This is our best solution for securing Windows networks!,Windows Server 2003 Security Guide,Theme,Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of pre-defined security templates applied to GPOs,Automated policy applied as machines join the domain / moved into organizational units,The Windows 2000 and Windows Server 2003 Solutions for Security come with pre-configured ready to deploy templates,Obviously you should test them before deploying them in a production environment,They WILL break something,Windows Server 2003 Security Guide,Provides 3 different security levels for the enterprise,Legacy Client (Compatible with Win9x XP),Enterprise Client (Compatible with 2000 & XP only),High Security Client (Compatible with 2000 & XP only),Demonstration,Securing Windows Servers using Group Policy,Staying Secure,Overview Staying Secure,Awareness,Security Alert Notification Services,Vulnerability Assessment,Responding to Security Events,Patch Warfare Thursday, Tutorial 6,Incident Response Thursday, Tutorial 6,Staying Secure,Security Alert Notification Service,Get e-mail alerts of Microsoft security bulletins for all Microsoft products,Plain-text e-mail, PGP signed with the MSRC PGP key,Staying Secure,Vulnerability Assessment,Microsoft Baseline Security Analyzer 1.2,Local or Remote Vulnerability & Patch scanner,Scans for Windows, IE, IIS, SQL, MSDE, Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches.,English, German, French or Japanese builds!,Staying Secure,MBSA Pros and Cons,Pros,Free,Great product coverage,Agent-less,Cons,Requires Authentication with remote machine and the Remote Registry and Server Services,Slow when scanning large networks,No easy way to aggregate XML output,Staying Secure,3,rd,Party vulnerability assessment software,ISS Internet Scanner System Scanner,Foundstone FoundScan,Much more in-depth than MBSA 1.2,Secure Windows Initiative,Secure Windows Initiative,Microsofts New Security Culture,Started with Bill Gates Trustworthy Computing Memo,Lead to SD3+C,Secure By Design, Secure By Default, Secure in Deployment + Communications,Secure Windows Initiative,Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASRs),Secure by Default,60% less attack surface area by default compared to Windows NT 4.0 SP3,Services off by default,Services run at lower privilege,Code reviews,IIS re-architecture,Threat models,$200M investment,Secure by Design,Communications,Secure by Design,Code reviews,IIS re-architecture,Threat models,$200M investment,Secure in Deployment,Configuration automation,Identity management,Monitoring infrastructure,Prescriptive guidance,Community investment,Architecture webcasts,Writing Secure Code 2.0,Secure Windows Initiative SD3+C,Secure Windows Initiative,Does SWI work? Lets have a look . . .,MS03-007, vulnerability exploited through IIS 5.0 + WebDAV,WS2003 / IIS 6 not affected because:,IIS6 not installed by default,If it was installed, WebDAV disabled by default,If it was enabled, IIS6 rejects long URLs by default,If it didnt reject long URLs, BO would occur in low privilege process not a process running as SYSTEM,Secure Windows Initiative,Are there other examples?,MS04-011, fixes 14 Windows vulnerabilities,Of these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!,Secure Windows Initiative,These vulnerabilities were rated as Low on Windows Server 2003 why?,Attack Surface Reductions (ASRs) as a result of SWI,PCT is not enabled by default!,LSASS vulnerability not remotely exploitable by default!,Secure Windows Initiative,Want more? Coming soon:,Secure Server Roles for Windows Server 2003,Task based security wizard to further automate hardening WS2003 server roles,Windows XP Service Pack 2,The most secure consumer operating system to date!,Security Improvements in XP Service Pack 2,Security Improvements in XP SP2,Overview,Network Protection Technologies,Memory Protection Technologies,Safer E-Mail,Safer Browsing,Windows Installer 3.0,Network Protection Technologies,Alerter & Messenger GONE! (Okay, disabled),Universal Plug & Play also disabled by default,Bluetooth network stack included by default,Disabled unless WHQL Bluetooth device is present,Network Protection Technologies,DCOM Locked down by default!,Previously, no way for administrators to enforce machine-wide access policy for all DCOM applications,XP has over 150 DCOM servers OOB!,Many DCOM applications have weak “Launch” and “Access” permissions that allow anonymous remote activation / access!,Administrators had no way to centrally manage / override these settings!,Network Protection Technologies,DCOM Solution: Machine-wide access check performed before any server-specific access checks are performed.,Starting with XP SP2, only administrators can remotely launch / activate DCOM servers!,Everyone is granted local launch, activation and call permissions,Network Protection Technologies,RPC Locked down by default (RPC Interface Restriction),Previously RPC interfaces were wide open for anonymous access,SP2 adds RestrictRemoteClients setting and enables it by default,Requires all remote RPC clients to authenticate,The EPM now requires AuthN,Must set EnableAuthEpResolution to 1 on clients to get the EPM working again.,Network Protection Technologies,Windows Firewall (the software formerly known as ICF),Boot time security,On by default for all interfaces, global configuration (all interfaces can share same configuration),Local subnet restriction,Command line support (via netsh) for scriptomatic configuration (think logon scripts),“On with no exceptions”,Exception List,Multiple Profiles,RPC Support,Restore Defaults,Unattended Setup for OEMs,Multicast / Broadcast support,New and improved Group Policy configuration (via System.adm),Memory Protection Technologies,Introducing Data Execution Protection (NX),Buffer overflows usually place shellcode on the stack or in the heap and cause execution to jump to this location,NX marks areas of the stack / heap as non-executable preventing this mal-code from running,Usermode apps that attempt to run code will AV,Kernelmode drivers that attempt to run code will bluescreen,Supported on AMD64, IA64 and forthcoming x64 Intel CPUs for both 32bit and 64bit Windows XP,Memory Protection Technologies,/GS,Stack based buffer overflow protection,Places canary value on the stack before / after stack allocations,Value is checked when values are read from the stack to make sure the stack hasnt been overwritten,If canary value has changed, process crashes vs. allowing code to execute,Safer E-Mail,Outlook Express will read all e-mail as plain-text by default,Blocks HTML e-mail exploits,“Dont download external HTML content,If you chose to render HTML e-mail, external HTML is not rendered / downloaded,Blocks “web bugs” etc.,AES API (Attachment Execution Service),Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc),Safer Browsing,Internet Explorer,Add-On Management / Crash Protection,Binary Behaviors locked down now,Option appears in each zone for configuring,BindToObject mitigation,ActiveX security model now applied to URL binding,Microsoft Java VM can be disabled per zone,Local Machine Zone lockdown,All local files / content processed by IE run in LMZ,No ActiveX objects allowed,Scripts set to Prompt,Binary Behaviors disallowed,No Java!,Safer Browsing,Internet Explorer,Improved MIME handling,4 different checks performed (, Content-Type/Disposition from header and MIME sniff),Object caching / Scope,Objects lose scope when browsing to a different domain /FQDN,Sites can no longer access cached objects from other sites,POP UP BLOCKER!,“Never trust content from,Publishername”,One Prompt Per Control Per Page,Endless loop attack,Safer Browsing,Internet Explorer,Authenticode Dialog box supports ellipses,Annoying Active X controls with overly long descriptions can now be viewed,Window Restrictions,Prevents UI spoofing attacks,Script Sizing / Repositioning restrictions,Prevents scripts from moving windows to hide URL bars / status bars etc,Status bar always visible,Scripts can no longer disable it,Safer Browsing,Internet Explorer,Script Pop-up Window Placement, pop-ups now constrained so that they,Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window.,Are smaller in height than the parent WebOC window.,Overlap the
展开阅读全文