EDUCAUSE 2006: Seminar 09F - PowerPoint PPT Presentation

Loading...

PPT – EDUCAUSE 2006: Seminar 09F PowerPoint presentation | free to download - id: 2ad22-NzAzN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

EDUCAUSE 2006: Seminar 09F

Description:

Frequent Mistakes made in Windows Security. Updates turned off ... MU updates all MS products not just windows. Office updates, Server product patches ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 36
Provided by: johnbru
Learn more at: http://net.educause.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: EDUCAUSE 2006: Seminar 09F


1
EDUCAUSE 2006 Seminar 09F
  • Effective Security Practices for Higher Education
  • WINDOWS SECURITY
  • John Bruggeman
  • Director of Information Systems
  • Hebrew Union College Jewish Institute of
    Religion

2
Windows Security !
  • Agenda
  • Top Vulnerabilities in Windows Systems
  • (Is there anything new?)
  • Frequent Security mistakes
  • (Avoid being 0wn3d by a b0t)
  • Patching Windows
  • (What happened to cleaning them?)
  • Hardening Windows
  • (Tempered Glass doesnt count!)
  • Tools and Tips
  • (What do the Pros use and Hackers use?)

3
Windows Security !?
  • Top Vulnerabilities in Windows Systems
  • From the SANS website www.sans.org
  • Windows Services
  • Internet Explorer
  • Windows Libraries
  • MS Office and Outlook Express
  • Windows Configuration Weaknesses

4
Windows Security !?
  • Top Vulnerabilities in Windows Systems
  • From the SANS website www.sans.org
  • Windows Services
  • Critical Vulnerabilities were discovered in these
    services in 2005
  • MSDTC and COM (MS05-051)
  • Print Spooler (MS05-043)
  • Plug and Play (MS05-047, 039)
  • Server Message Block Service (MS05-027, 011)
  • Exchange SMTP Service (MS05-021)
  • Message Queuing Service (MS05-017)
  • License Logging Service (MS05-010)
  • What to do?
  • Disable Service if possible
  • Scan for Vulnerabilities
  • PATCH

5
Windows Security !?
  • From the SANS Website www.sans.org
  • 2) Internet Explorer
  • Multiple vulnerabilities were discovered in 2005
    in IE
  • Cummulative Security Patch (MS05-052, 038, 025,
    020, 014,)
  • JView Profile Remote Code Execution (MS05-037)
  • Windows Shell Remote Code Execution (MS05-008)
  • How to mitigate
  • On XP, install SP2
  • On 2000, NT, keep patches current
  • Use DropMyRights from MS to lower IE privileges
  • Check your Broswer Helper Objects (BHO) for
    spyware
  • Disable Scripting and ActiveX

6
Windows Security !?
  • From the SANS Website www.sans.org
  • 3) Windows Libraries
  • DLLs can have buffer overflow vulnerabilities
  • Vulnerabilties discovered in 2005
  • Windows Graphic Rendering Engine (MS05-053)
  • Microsoft Direct Show (MS05-036)
  • HTML Help remote code exec (MS05-026, 001)
  • Web View remote code exec (MS05-024)
  • Windows Shell remote code (MS05-049, 016)
  • PNG Image Processing remote code (MS05-009)
  • Patch your system and scan for vulnerabitlites
  • Use least privileges where possible
  • Filter IP ports 135-139, 445,
  • Use an IPS and IDS

7
Windows Security !?
  • From the SANS Website www.sans.org
  • 4) MS Office and Outlook Express
  • Attack vectors are email attachments, website
    documents, and news servers
  • Several critical vulnerabilities in 2005
  • Cumulative Security for Outlook Express
    (MS05-030)
  • Microsoft OLE and COM remote (MS05-012)
  • MS Office XP remote code exec (MS05-005)
  • MS Access no patch yet available
  • Check your systems with a vulnerability scanner
  • Mitigate by patching, disable IE feature of
    opening Office documents
  • Configure Outlook with enhanced security

8
Windows Security !?
  • From the SANS Website www.sans.org
  • 5) Windows configuration Weaknesses
  • Weak passwords on accounts or network shares
  • LAN Manager hashes are weak and should be
    replaced with stronger more current hash
    techniques
  • Default configuration for servers and
    applications can open machines to password
    guessing.
  • MSDE ships with SA account set with a blank
    password.
  • Several worms take advantage of this, Voyager,
    Alpha Force, SQL Spida use known weak
    configurations to spread
  • Enforce a strong password policy
  • Prevent Windows from storing the LM hash in AD or
    the SAM
  • Disable NULL shares and restrict anonymous access

9
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Deirdre Hurley
  • www.sans.org/reading_room/whitepapers/windows/1016
    .php
  • Allowing Null Sessions
  • Weak Lockout Policies
  • Weak Account Policies
  • Multiple Trust relationships
  • Multiple Domain admin accounts
  • Audit logs turned off
  • Automatic Updates turned off

10
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Allowing Null Sessions
  • What is a Null session?
  • Net use \\10.1.1.1\ipc /user
  • So what?
  • You can download usernames, login information,
    lockout policy information, etc.
  • How do you disable one?
  • MS Security Policy MMC snap-in
  • Update registry key
  • \\HKLM\System\CurrentControlSet\Control\Lsa\Restri
    ctAnonymous
  • Tools to test
  • www.securityfriday.com/tools/GetAcct.html

11
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Weak Lockout Policies
  • If you dont have one then brute force attacks
    can succeed
  • If you do have one it becomes more difficult
  • Suggested levels
  • Enable Account Lockout Threshold at 5 attempts
  • Enable Account Lockout Duration to 30 minutes
  • Disable Reset Account Lockout Threshold after
  • Also, enable Administrator account lockout
  • Get the ADSI Edit Snap-in from Windows 2000
    support tools
  • http//support.microsoft.com/kb/885119/en-us

12
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Weak Account Policies
  • Be aware, local account policies on 2000 over
    ride domain account policies
  • Some admins create local users to match domain
    users
  • Forget to set the local Administrator password,
    sometimes leaving it blank
  • General rules for accounts and passwords
  • Maximum password age 90 days
  • Minimum password age 5 days
  • Minimum password length of at least 7 characters,
    14 for Administrators
  • Password Uniqueness remember 13 passwords

13
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Multiple Trust relationships
  • Limit the number of trusts in your domain
  • Fewer gaps, less that has to be guarded
  • Windows 2000 Tool to find out what trusts you
    have
  • NT Resource Kit - NLTEST

14
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Multiple Domain admin accounts
  • Avoid the mistake of having three or four (or
    more) Domain accounts, or having domain
    privileges with normal users
  • Use the practice of least privileges for all
    accounts
  • Change default passwords for typical accounts
  • Backup software
  • ArcServe, Tivoli, BackupExec
  • Test accounts
  • Test, dummy,
  • Lab accounts
  • Administrator accounts

15
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Audit logs turned off
  • By default audit logs are turned off
  • Hackers have tools like DUMPACL and DumpSec to
    find out if auditing is turned on or off
  • Recommend settings for Auditing
  • Account logon events (Success and Failures)
  • Logon Events
  • Account Management
  • Policy Changes
  • System Events
  • Object Access (Success and Failures)
  • Files, folders, and registry keys must then be set

16
Windows Security !?
  • Frequent Mistakes made in Windows Security
  • Updates turned off
  • SANS, Gartner Group, others report that 80-90 of
    attacks are from known vulnerabilities.
  • SQL Slammer, W32.Slammer in 2005 attacked a known
    vulnerability that had a patch available 6 months
    before it hit.
  • Need to patch systems and keep them current
  • Does require a patch management strategy
  • Will require time
  • Payoff is less downtime

17
Windows Security !?
  • Patching Windows
  • Rod Gode, UC Davis IT Security Symposium 2005
  • What to Patch and How to Patch
  • Options
  • Commercial
  • Microsoft Provided
  • Deployment and Testing
  • Get some test machines
  • Verification
  • MBSA

18
Windows Security !?
  • Patching Windows
  • What to Patch
  • OS
  • Applications
  • BIOS
  • Firmware
  • Types of Patches from MS
  • Hotfix, Update, Critical Update, Security Patch,
    Update Roll-up, Service Pack

19
Windows Security !?
  • How to Patch
  • Develop a Plan
  • Hardware and Software Inventory
  • Patch management Policy Process
  • Include a notification process
  • Track check patch level
  • Download and test patches prior to deployment
  • Deploy patches
  • Audit workstations for compliance

20
Windows Security !?
  • How to Patch
  • Tools from Microsoft (MS)
  • Analysis tool from MS, Microsoft Baseline
    Security Analyzer (MBSA)
  • Online update services
  • Microsoft Update, Windows Update, or Download
    Center
  • Push / Management tools
  • WSUS server, SMS server, Group Policies

21
Windows Security !?
  • How to Patch
  • Tools from Microsoft
  • Microsoft Update is different than Windows Update
  • MU updates all MS products not just windows
  • Office updates, Server product patches
  • WSUS is updated SUS server
  • New version coming out, WSUS 3.0 in Beta now
  • www.microsoft.com/wsus
  • Target client installs, selective client
    patching, uninstall options

22
Windows Security !?
  • How to Patch
  • Commercial Tools
  • Altiris Patch Management
  • www.altiris.com
  • BigFix Patch Manager
  • www.bigfix.com
  • Ecora Patch Manager
  • www.ecora.com
  • LanDesk Patch Management
  • www.landesk.com

23
Windows Security !?
  • Deployment Options
  • WSUS and SMS
  • Group Policy options (2000 XP only)
  • Create an Install Package (MSI file) containing
    the patch, see KB article 257718 on how to do
    this
  • Store the MSI file on a network share
  • Assign the patch to groups via a group policy
  • Chose the assigned publishing method
  • Patch will be installed on assigned computers
    using the Windows installed program
  • Slipstream
  • Create an image w/ service packs and patches

24
Windows Security !?
  • Testing and Verification
  • Patch systems are not perfect, you need to test
    after patches have been applied
  • Tools
  • Microsoft Baseline Security Analyzer 2.0
  • Used for Windows 2000 SP3 and later
  • Office XP and later
  • Exchange 2000 and later
  • Microsoft Baseline Security Analyzer 1.2.1
  • Office 200
  • Exchange 5.0 and 5.5

25
Windows Security !?
  • Testing and Verification
  • Commercial Tools
  • BindView - www.bindview.com
  • Computer Associates - www.ca.com
  • Network Associates www.nai.com
  • Symantec www.symantec.com
  • Trend Micro www.trendmicro.com
  • Foundstone www.foundstone.com

26
Windows Security !!
  • Hardening Windows
  • Advanced Information Assurance Handbook, CERT
  • Hardening techniques
  • Limit services
  • Limit applications
  • Limit protocols
  • Intrusion Protection techniques
  • Software options to monitor file changes
  • Host based firewalls
  • Tools from Microsoft

27
Windows Security !!
  • Hardening Windows
  • Hardening techniques
  • Limit services
  • Verify what services are needed
  • On servers, usually these can be disable
  • IIS (unless needed), Fax service, Indexing
    service, Messenger, Telnet, Remote Access, QoS
    RSVP, others.
  • On workstations disable unless needed
  • Fax service, Indexing service, messenger, Telnet,
    others
  • Enable firewall

28
Windows Security !!
  • Hardening Windows
  • Hardening techniques
  • Limit applications
  • Verify what applications are needed, many can be
    removed without impacting functionality
  • On servers, usually you can remove the following
  • Outlook Express, IIS, Media Player, Journal
    viewer, Games, POSIX, OS2 subsystem
  • On workstations, usually you can remove the same
  • Limit what applications end users can run
  • Do not allow end users to install applications

29
Windows Security !!
  • Hardening Windows
  • Hardening techniques
  • Limit protocols
  • Verify what protocols are needed for your network
  • On servers normally TCP/IP is sufficient
  • On workstations normally TCP/IP is all that is
    needed
  • Remove IPX/SPX, NetBios,
  • Limit Network devices
  • Bluetooth (disable unless needed)
  • Wireless (disable unless needed)
  • Firewire (disable unless needed)

30
Windows Security !!
  • Hardening Windows
  • Firewalls
  • Host based firewalls
  • Server options
  • Windows 2003 SP1 firewall option
  • Workstation options
  • XP SP2, ZoneAlarm, Tiny Personal Firewall
  • 85 listed on Download.com
  • IPSEC
  • Encrypt traffic from host to host

31
Windows Security !!
  • Hardening Windows
  • Intrusion Protection Systems
  • IPS vs IDS
  • Why detect when you can protect?
  • Signature vs Anomoly
  • IPS can be host or network based
  • IPS Host options
  • EEye BLINK, Prevx Home
  • IDS host options
  • SFC System File Check from MS (can be spoofed)
  • LanGuard
  • IPS Network options
  • Forescout, Tipping Point, McAfee, ISS are options

32
Windows Security !!
  • Hardening Windows
  • Tools from Microsoft
  • www.microsoft.com/technet/security/tools
  • MBSA 2.0
  • Microsoft Enterprise Scan Tool
  • Security Assessment Tool
  • IIS Lockdown Tool
  • Hardens ISS
  • URLScan Security Tool
  • Included in IIS lockdown tool
  • Cipher Security Tool
  • Shredder for deleted files
  • Port Reporter
  • Logging tool for TCP and UDP activity on XP,
    2003, 2000

33
Windows Security -)
  • Tools and Techniques
  • Shareware tools
  • MetaSploit
  • Framework for testing exploits
  • Nessus
  • Scanning tool to check for vulnerabilities
  • Ethereal
  • Packet sniffer

34
Windows Security -)
  • Tools and Techniques
  • Shareware Tools
  • MetaSploit
  • DEMO
  • Nessus
  • DEMO
  • Ethereal
  • DEMO

35
Windows Security -)
  • Resources
  • www.educause.edu/security
  • www.microsoft.com/technet/security
  • www.sans.org/reading_room/whitepapers/windows
  • www.securityfriday.com
  • www.cert.org
  • www.hackingexposed
  • www.incidents.org
About PowerShow.com