Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team - PowerPoint PPT Presentation

Loading...

PPT – Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team PowerPoint presentation | free to download - id: 57d20-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team

Description:

Password crackers are fast and getting faster. ... Use a one-time password pad whenever possible and strong passwords the rest of the time. ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 55
Provided by: melp6
Learn more at: http://isacahouston.org
Category:
Tags: razor | duke | engineer | mel | pless | systems | team | tom

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team


1
(No Transcript)
2
Tom DukeSystems EngineerRAZOR TeamMel
PlessSystems EngineerRAZOR Team
  • Windows 2000 and Active Directory
  • Security Guidelines

3
Agenda
  • Overview
  • Windows System Hardening Suggestions
  • Active Directory Security Suggestions
  • Security Best Practices Guidelines
  • Reminders
  • References

4
Role of Corporate Culture
  • Paramount to the success of an enterprise
    security program are the relationships among risk
    analysis, the organizations culture, and
    security policy.

5
Security is Everyones Responsibility
  • A security policy should communicate to
  • everyone in your organization the simple
    principle
  • that information is a valuable asset and
  • everyone is responsible for protecting it.

6
Philosophy of Protection
  • Security is embedded
  • Security is logically centralized but distributed
    globally
  • Security is applied to multiple layers
  • Security is an enabler, not a roadblock
  • External validation of security is required

7
Security Concepts
  • Need-to-Protect
  • Least Privilege
  • Separation of Duties
  • Defense in Depth
  • Role-base Access Control
  • Identification

8
Things To Remember
  • Policies are cross-platform
  • Implementations are not
  • Policies must be designed to be implemented
  • Nirvana security polices are not effective
  • Implementation should include
  • Ongoing auditing
  • Enforcement
  • Non-IT remedies
  • Leverage solutions to speed process

9
Windows 2000 SystemHardening Suggestions
10
System Hardening Intent
  • Process should result in a server with virtually
    everything locked down and disabled.
  • This should provide a secure base upon which to
    build.
  • After this procedure is completed, the services
    this machine is to offer can be selectively
    enabled.

11
Recommendations
  • Updated Patches
  • Service Packs
  • Hotfixes
  • High Encryption Pack
  • Enable Auditing
  • Set Password Policy
  • Account Lockout
  • User Rights
  • Event Log
  • Services
  • Other Settings

12
Updates
  • PATCH, PATCH, PATCH!!!

13
Implementing an Auditing Policy
  • Audit settings should be tested to see if
  • They capture the expected events
  • Audit log data can be analyzed and understood
  • The amount of audit log data is manageable

14
Windows 2000 AuditingRAZOR Recommendations
  • Enable Auditing
  • Account logon Success Failure
  • Account Management Success Failure
  • Directory Service Access Failure
  • Logon Events Success Failure
  • Object Access Failure
  • Policy Change Success Failure
  • Privilege Use Failure
  • Process Tracking
  • System Event Success Failure

15
Setting Policies
16
Password PolicyRAZOR Recommendations
  • Enforce Password History 7 (or higher)
  • Maximum Password Age 42 (default)
  • Minimum Password Age 0 (default)
  • Minimum Password Length 7
  • Password Must Meet Complexity Requirements Enable

17
Account Lockout PolicyRAZOR Recommendations
  • Account Lockout Duration 10 minutes (or
    more)
  • Account Lockout Threshold 5
  • Reset account lockout counter after 10 minutes

18
User RightsRAZOR Recommendations
  • Never assign the following user rights to any
    user or group
  • Act as part of the OS
  • Create a token object
  • Create permanent shared objects
  • Debug programs
  • Generate security audits
  • Lock pages in memory
  • Manage auditing and security log
  • Modify firmware environment variables
  • Replace a process level token
  • Synchronize directory service data

19
User RightsRAZOR Recommendations
  • Access from the network
  • Remove Everyone, User, Power Users, and Backup
    Operators (if possible)
  • Bypass traverse checking
  • Change Everyone to Authenticated Users
  • Change system time
  • Remove Power Users
  • Deny access to this computer from network
  • Add ANONYMOUS LOGON
  • Deny logon as a batch job
  • Add ANONYMOUS LOGON

20
User Rights (contd.)RAZOR Recommendations
  • Deny logon as a service
  • Add ANONYMOUS LOGON
  • Deny logon locally
  • Add ANONYMOUS LOGON
  • Log on locally
  • Remove Users, Power Users, Guest, TsInternetUser
  • EVERYONE should not be listed in any right at
    this point

21
Event Log SettingsRAZOR Recommendations
  • Set each log to a minimum of 10MB in size
  • If exporting to a central repository, set to NOT
    overwrite
  • Otherwise, overwrite as needed

22
Securing the Security Event Log
  • Security Event Log
  • Records unauthorized access to system
  • Control should be limited
  • Create an Auditors group
  • Give Full Control
  • Remove all administrators
  • Grant User Right Manage auditing and security
    log

23
Service SettingsRAZOR Recommendations
  • All non-essential services should be disabled
  • Only enable services as needed

24
Service SettingsRAZOR Recommendations
  • All non-essential services should be disabled
  • Stop and disable the following services
  • Alerter
  • Application Mgmt
  • ClipBook
  • COM Event System
  • System Event Notification
  • Computer Browser
  • DHCP Client (if using a fixed IP address
    (strongly recommended))
  • DFS
  • Distributed Link Tracking Client
  • Distributed Link Tracking Server
  • Distributed Transaction Coordinator
  • Fax Service
  • File Replication
  • IIS Admin
  • Indexing Service
  • Internet Connection Sharing
  • Intersite Messaging

25
Service Settings (contd.)RAZOR Recommendations
  • Stop and disable the following services
  • Kerberos Key Distribution
  • License Logging Service
  • Logical Disk Manager
  • Logical Disk Manager Admin
  • Messenger
  • Netlogon
  • NetMeeting Remote Desktop
  • Network Connections
  • Network DDE
  • Network DDE DSDM
  • Performance Logs and Alerts
  • Print Spooler
  • QoS RSVP
  • Remote Access Auto Conf.
  • Remote Access Connection
  • RPC Locator
  • Removable Storage
  • RunAs Service
  • Server
  • SMTP
  • Smart Card
  • Smart Card Helper
  • Task Scheduler
  • Telephony
  • Telnet
  • Terminal Services
  • UPS (if not used)
  • Utility Manager
  • Windows Installer
  • WMI
  • WMI Driver Extensions
  • Workstation
  • WWW Publishing
  • Windows Time (unless you have an internal NTP
    server it can talk to)

26
Other SettingsRAZOR Recommendations
  • Create a registry key HKLM\SYSTEM\CCS\Control\LSA\
    NoLmHash.
  • Reboot and change all passwords.
  • Rename Administrator account
  • Unbind Netbios from TCP/IP on all adapters
  • Disable register adapter in DDNS
  • Disable LMHOSTS lookup

27
New Tools To Help
28
New Tools To Help
29
Other SettingsRAZOR Recommendations
  • Secure C\
  • Admins, SYSTEM Full Control
  • Authenticated Users Read Only
  • Secure C\TEMP
  • Admins, SYSTEM Full Control
  • Authenticated Users Read Only
  • Secure C\WINNT\TEMP
  • Admins, SYSTEM Full Control
  • Authenticated Users Read Only

30
Other Items to Consider
  • Remove unused subsystems
  • POSIX
  • OS/2
  • Rename Local Machine User Accounts

31
Best Practices
  • Patches, patches, patches
  • The first line of defense is up-to-date patches.
    Most widely exploited problems have patches.
  • Minimal Services
  • Many widely exploited flaws exist in services
    that are installed by default but rarely used.
    Disable all unused services.
  • Anti-Virus Software
  • Up-to-date AV software will prevent problems from
    spreading out of control.
  • Strong Passwords
  • Password crackers are fast and getting faster.
    Exploit tools automate logging in to a variety of
    services use blank or default passwords. Use a
    one-time password pad whenever possible and
    strong passwords the rest of the time. Users
    must be educated to understand the risks.
  • Egress Filtering
  • Trojans like to phone home, as do lots of
    malicious programs. Use a web proxy and limit
    outbound connections strictly.

32
Active DirectorySecurity Suggestions
33
Security Features in Active Directory
  • Granular Delegation
  • Group Policy Objects (GPOs)
  • ACLs

34
Opposite of NT
  • The granularity of authorizations has been
    greatly extended in Active Directory to cover not
    only an object but also the attributes of an
    object.
  • As a result, you can allow a group of
    administrators to do nothing but reset user
    passwords.
  • This granularity works because each attribute of
    an AD object can have its own ACL there isnt
    just a single ACL for the entire object.

35
Delegation
  • A preferred way to delegate administrative
    control over Active Directory objects is to
    create OUs within a domain and use the Delegation
    of Control Wizard to assign granular permissions
    for administrators.
  • When youre designing the OU structure for each
    of your domains, consider only creating OUs when
    you want to delegate administration.

36
One Delegation Approach
  • Create an OU for each logical subdivision of the
    domain
  • Create a local group for each subdivision
    representing the highest level administration in
    that subdivision
  • Assign the given group full control over its OU
  • If the subdivision is allowed to set their
    membership, place the subdivisions
    administrators group into the OU. Otherwise,
    leave the group outside the OU.

37
Delegation Best Practices
  • Create special OUs
  • Delegate access through groups rather than users
  • Assign access at the lowest possible level
  • Avoid granting Full Control over containers
  • Use group policy to control user rights
  • Consider separating object-creation tasks from
    object-management tasks
  • Delegating the ability to move objects requires
    Delete permissions in the source OU and Create
    permissions in the target OU
  • Group membership administration is granted in the
    OU where the group account resides
  • Remember that object owners, regardless of their
    explicit access level, can always gain Full
    Control over the object

38
Group Policy Objects
  • Group Policy will allow you to uniformly enforce
    defined security policies throughout your
    computing infrastructure by creating domain-level
    GPOs that define the most critical security
    related settings. These settings will then be
    enforced on each and every computer in the
    domain. No longer will security settings have to
    be managed on individual computers.

39
Group Policy Object Initialization
  • Computer-related policy settings are applied when
    the OS initializes.
  • User-related policy settings are applied when
    users log on to their computers.
  • NOTE If computer settings and user settings come
    into conflict, the computer configuration
    settings override the user configuration settings.

40
Computer Configuration GPO
  • Account Policies
  • Local Policies
  • Event Log Policies
  • Restricted Groups
  • System Services
  • Registry
  • File System
  • Public Key Policies
  • IP Security Policies

41
GPO and Access Control
  • Security templates and GPOs are generally the
    best
  • approach to implementing a given security policy
  • for a group or category of users.

42
AD Security Components
  • Security Principals - User, security group,
    service, and computer. Identified by a unique ID
  • Security Identifiers (SIDs) - Uniquely identify
    security principals. Are never reused
  • Security Descriptors - Security information
    associated with an object. Contains Discretionary
    Access Control Lists (DACLs) and System Access
    Control Lists (SACLs)

43
Three types of permissions
  • Inherited
  • Flow from higher-level objects to lower-level
    objects.
  • Explicit
  • Augment or replace inherited permissions on an
    object.
  • Protected
  • Cannot be inherited by child objects only
    explicit permissions exist.
  • Child objects that have permissions that arent
    consistent with permissions inherited from a
    parent are protected by explicit permissions, and
    the inherited permissions arent applied.

44
ACL Inheritance
  • Explicit ACEs are evaluated before inherited ACEs
  • Access-denied ACEs are evaluated before
    access-allowed ACEs

45
Caution!!!!
46
ACL Best Practices
  • Never assign rights, privileges, or ACLs to an
    individual computer or user object. Instead,
    create a security group, assign the appropriate
    permissions to it, then add computer or user
    objects to it.

47
Take-away Note
  • The most important thing to remember when youre
    setting up access control in your Active
    Directory environment is to give people the
    minimum number of rights they need to do their
    jobs.

48
Security BestPractices Guidelines
49
Best Practice Overview
  • Secondary Authentication
  • General Recommendations
  • Physical Security
  • Other Considerations

50
Using Secondary Authentication
  • No system administrators in your environment
    should ever again read their mail and compose
    simple documents while running as a member of
    theDomain Administrators group!

51
RUN-AS Command
52
Best Practices - General
  • Use legal notice captions on all machines
  • Use legal notice text on all machines
  • Do not display last logon name

53
Physical Security
  • All DCs contain RW copy of AD
  • NT BDCs contained RO copy of SAM
  • Physically secure all DCs
  • Even ones at remote locations
  • Tools to use once physical access is gained
  • L0phtCrack
  • NTFS2DOS

54
Physical Security
  • Secure wiring closets
  • Open network ports open security holes
  • Sniffers could be placed on the networkand
    capture passwords
  • Network access opens up a door for finding more
    access
  • Open shares
  • User names
  • ???

55
Physical Security Best Practices
  • Keep servers in a locked room
  • Disable the removable media based boot option if
    available
  • Remove or restrict access to the removable media
    drives
  • The CPU case should be secured by a key stored
    safely away from the computer
  • Implement a system bios password

56
Other Considerations
  • Other Microsoft Services
  • Exchange
  • DHCP/DNS
  • IIS
  • SQL
  • Desktop Clients
  • User Community Buy-In

57
Reminders
58
Reminder
  • Security is Everyones responsibility
  • Management
  • IT Staff
  • Users

59
Reminder
  • Technical support staff should be reminded never
    to reveal or reset passwords for anyone over the
    phone
  • User community education
  • Password use and storage
  • Social engineering techniques

60
Importance Of A Strong Password
  • Estimated time to brute force password crack at
    100,000 per second

61
References
62
Links
  • razor.bindview.com
  • www.bindview.com/ebook
  • www.microsoft.com/security
  • www.nipc.gov (now part of www.dhs.gov)
  • www.sans.org
  • www.cisecurity.org
  • nsa1.www.conxion.com

63
BindView Products
  • bv-Control Product Suite
  • Microsoft Active Directory
  • Microsoft Windows
  • Microsoft Exchange
  • Microsoft SQL Server
  • Internet Security
  • UNIX
  • Novell NetWare
  • Novell NDS eDirectory
  • OS/400
  • SAP
  • NETinventory
  • Security Advisor
  • bv-Admin Product Suite
  • Microsoft Windows (NT/2000/Active Directory)
  • Microsoft Exchange
  • Novell NetWare
  • Migrate for Windows 2000
  • Migrate for Novell NDS
  • Migrate for Microsoft Exchange
  • Mobile
  • Password Self Serve
  • Policy Operations Center

64
(No Transcript)
About PowerShow.com