Tomasz Zukowski Inobits Consulting Session Code WSV301 Question How many of you do security at your company Question How many of you ASKED to do security at your company Whats This Talk All About ID: 626466
Download Presentation The PPT/PDF document "12 Tips to Secure Your Windows Systems, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, and Windows 7 Change the Game
Tomasz Zukowski
Inobits Consulting
Session Code: WSV301Slide3
Question:
How many of you do security at your company?Slide4
Question:
How many of you ASKED to do security at your company?Slide5
What's This Talk All About?
Several things
Review the fundamentals, but with a fresh "2009 perspective"
A chance to help you in the ongoing battle to convince our users that security matters
If you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wiseSlide6
Why Security Matters
Protecting company assets, of course
But the Internet adds a new dynamic
Computers are “levers” when it comes to data; when things are good, they’re very good, and when they’re bad, they’re very bad – and get worse quickly!
There are also the matters of
public
security, which is another very good reason to careSlide7
Twelve Tips
You are a risk manager
Write a security policy
Passwords
Authenticate right
Stomp Administrator
Auditing and logs
Nail the services… or the developers
Physical security
Have A DR Plan
Upgrade the carbon units
Stay informed
Patch!Slide8
Risk AnalysisSlide9
Security’s a Tradeoff…
… like everything else in business
You
cannot
make your system completely secure
We accept and absorb risks all the timeSlide10
Security Has A Price
IT’s job versus security’s job
Many “hardening” techniques will cause software to breakSlide11
Write a Security Policy
one on paper, that is
We’re talking here about protecting the organization from destruction, so…
This only works if management’s on board
Must have a written security policy
Must have a few items that, well, could cause termination
If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work late
Good sample policies at http://www.sans.org/resources/policies/Slide12
Practical Talk About Passwords
“Bad passwords always beat good security”Slide13
Passwords – the stakes
Passwords are
it
for most of us in terms of identifying ourselves to the network
Bad guys just need
one
account, not all of them
Passwords are a
carbon
-based issue, not a
silicon
-based issue
Again, get the users on board, or it's likely that no password technology will ever workSlide14
Passwords – the modern facts
Passwords are attacked in several ways
Shoulder surfing
Post-Its
They’re yelled across a room
Someone steals your password “hashes” and cracks them
Someone tries repeatedly to log on with different passwords
Note that only the last two are technologicalSlide15
A Bit of Technicals on Passwords
Computers don't store your password; they convert it to a 128 bit "hash" and store that
"Open Sesame"
Any of many mathematical processes called a "hash function"
0F725ACD85C6390EE6F218C7D382C552
This
is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy)Slide16
How Bad Guys Get Your Hash
Physical access to your system
Guessing it
But that means trying 2
128
possibilities, which is still computationally unlikely – at a million/second, it'd take 10
25
years, and even Moore's Law won't crack that for a while
Guessing it
with a hint
… now,
that
might be possible!Slide17
Hint Sources
Structural limitations on passwords
The 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must go
Hashes come from human-chosen passwords and humans tend not to create passwords like
"6$^^
hH
-()()()()(7Ghala"
Worse yet, many people restrict themselves to personal info or English words
This
is how the bad guys get passwords!Slide18Slide19
Protecting Your Passwords
Get your users to create useful, non-trivial passwords
Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasons
Avoid complex passwords
Train users to avoid simple English words
Get rid of LM
now
. Really…
now
.
Group policies will do it
Most systems will not have a compatibility problem, but check
NASes
and network-attached printersSlide20
Win 6/7 and LMAfter telling us to rid our networks of LM-related stuff for ten years, Microsoft took
a big step…
… Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes
or authentication
at all
You couldn't create an LM hash with Vista if you wanted to!Slide21
The Dumbest Passwords
I've
got
to stress this…
In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes:
A name associated with you or your organization
A date associated with you or your organization
A dictionary word
BTW, just adding a number or a capital adds no more than a few minutes to the time
People with these passwords must, sadly, be sterilizedSlide22
12 Characters? Are You Crazy?
I advocate 12 character minimum password length… more length makes up for a "no complexity" requirement
Only requires a bit of user education on the "passphrase”
12 lowercase letters = 95,428,956,661,682,176 possibilities
Try a million a second, it’ll take 300 centuriesSlide23
The Ultimate Password
Remember why English word passwords are childishly simple to crack?
They weren't 12 years ago
As Moore's Law strides on, one day any eight-character password, no matter how obscure, will be
crackable
in an hour or so
And then what do we do?
Answer: PKI… so put that on your "things to figure out in the next couple of years" list
WS08 R2 Authentication Mechanism AssuranceSlide24
Watch Your Authentication ProtocolsSlide25
Why They Matter
When you log on, your system decides under-the-hood how to authenticate with a domain controller – either
LM
NTLM
NTLM v2
Kerberos
Even in an AD world, the top three get used… and you really want to avoid thatSlide26
What? Not Use Kerberos?
Even in an AD-centric network, you may not
get Kerberos
NET USE to an IP address
Connect to a workgroup system on Windows of any version
Connect to a pre-2000 system
Failover from a busy DC
Badly-written apps (any apps older than 7 years?)
Intranet site not added to "local intranet" zone
Nowadays we really want to de-NTLM our networks as much as possibleSlide27Slide28
Kerberos Logon vs NTLM Logon
How you know you're NTLM-ing:
Can't join machines to domains
Don't get group policies
Netmon traces show NTLM, not Kerberos traffic
Tracking this stuff down by hand is a pain, so Windows 7/Server 2008 R2 offer some new group policiesSlide29
NTLM Restriction Policies
Essentially these new policies let you first track and then block NTLM logons
There are basically three policies, each with an "audit" and a "block" option:
Incoming NTLM traffic (server tracking)
Outgoing NTLM traffic (client tracking)
Domain traffic (DC tracking)
Create new logs of source "NTLM," numbers 8001, 8002, 8003, 8004Slide30Slide31
Windows 6/7 Crypto Changes
Windows Vista/2008 adds AES
Needs 2008 DFL
Happens automatically upon shift to 2008 DFL
Server 2003 R2 and earlier DCs cannot employ AES
Side-effect: win 6/7 systems will always fail in their first logon attempt, that is normal!Slide32
Handling Admin Accounts and Eliminating "Administrator"Slide33
Creating Good Admin Passwordswithout having to stress the users
Having someone crack one of
our
(administrator) passwords would be bad
One answer: set up different password policies for members of the Domain Administrators group from the policy for non-
admins
Possible in 2008 and 2008 R2 with "password settings objects"
Needs 2008 DFL, good tool to utilize it at
www.joeware.net
(
PSOMgr
)Slide34
PSOMgr.exeSlide35
Stomping Administratorthe account, that is
Local “Administrator” account is
un
accountable
Rename it
Prohibit insiders from using it also
(Otherwise, auditing is pointless)
Give people’s accounts the admin privileges that they need … no more
Then assume that people using Administrator have no good in mind – make using it a
firing
offense!
No real need for Administrator acct any moreSlide36
Stomping Administrator
Randomize the admin password
net user administrator /domain /random>nul
It doesn’t hurt to rename the account in any case
If using 2003 or 2008, you can
create a smart card for the Administrator account
force the Administrator account to only be able to log on with the card – ctrl-alt-del won’t work
lock up the card and disperse the PINSlide37
Don’t Spend All Day As Admin
Tempting to be logged in all day as an administrator
Workaround:
runas
command, although truthfully it's a pain
Works best when shift-right-clicking a menu item
But there's a better way…Slide38
What About UAC?
In a sense, it's a "reverse Run As"
You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful one
People find it annoying… but I really recommend that you keep it in place
In silent mode, it essentially automates the "two account switch" trick
Once you understand UAC, it can be very useful, so give it a second lookSlide39
Audit Your NetworkSlide40
Windows Auditing
It's been around forever, but isn't always used
Why use it?
After-the-fact forensics
Helpful in compliance situations (HIPAA, SOX)
Treat logs policy-wise the way you treat money accounting records
Biggest pain is collecting and archiving the Security logs, as there's one on every workstation and serverSlide41
Auditing and Logs
what modern Windows offers
Fine-tune who you're auditing with
auditusr
, which first appeared in XP SP2 and 2003 SP1/R2
In Vista and later, it's called "
auditpol
" and has different syntax
Easily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions”Slide42
Auditing And Logs
some fairly big news in Windows auditing in Win 7/R2
More auditable stuff: 9 categories in Vista…
… 54 in Windows 7/R2
To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder
"Global SACL" or "Global object access auditing" completely changes object auditing
Use either group policies or
auditpol
to enable
"Reason for access" reportingSlide43Slide44
Securing ServicesSlide45
Securing Services
Whenever there's a headline-grabbing security attack, there's a compromised service behind it
There have traditionally been three things you can do to reduce services' vulnerabilities
Disable the unnecessary ones
Minimize the remaining ones' privileges
Minimize the remaining ones' permissions
XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' securitySlide46
Services, Phase Onedisable unnecessary ones
Much less necessary with Vista/2008
Messenger, clipbook, alerter services gone
Other services are isolated in a separate Terminal Services session and so cannot interact with the desktop
(Only bad part – causes some pre-Vista print drivers to fail)Slide47
Services, Phase 2
de-fang the services that you leave running
Services run not as you, but as some account – probably System, which is all-powerful
Thus, any damage that they can do is limited by the permissions on that account
Unfortunately that’s usually System
Vista/2008 includes a built-in feature that reduces much of System's powerSlide48
Services, Phase 2
finding out if your
devs
have been lazy
The problem is that not every developer exploits it
Way to find out: open an elevated command prompt and type
sc
qprivs
servicename
If you don't get a list of privileges, that service has not been secured – so yell at the developer!Slide49Slide50
Services, Phase 3
reducing their power with service isolation
"System" has all-encompassing file permissions
Vista/2008 take it a step further with "service isolation"
Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything else
Test: "
sc
qsidtype
servicename
" – you want to see "SERVICE_SID_TYPE: RESTRICTED"
If not… whack the developers!
(Hey, if you've got Win 6/7, you've already paid for this!)Slide51
Managed Service AccountsBackground: what problem does this solve?
Services must run under an account, and
LocalSystem
/
LocalService
/
NetworkService
can't
always do the job
IIS, Exchange, SQL are some common examples
In that case, techies need to create accounts to act as service accounts
That works fine, except for the issue of passwords: they need regular changing or services stop workingSlide52
Managed Service AccountsAnswer: managed service accounts
New class of accounts
Sorta
user accounts,
sorta
machine accounts
(new icon)
You:
Create one on the domain
"Install" it on the member server
Configure the service so that it logs on as that account, and from there password updates etc are automatic
Need one account / memberSlide53
Managed Service AccountsPassword details
240-character passwords created
Ignore group policies about passwords and ignore fine-grained password policies
Automatically handle password changes
every 30 daysSlide54
Managed Service AccountsRequirements/details
Requires at least one 2008 R2 DC
(which means a 2008 R2 schema on the forest)
Requires AD
Powershell
(and therefore AD Web Service) to create accounts
Live in their own new folder (not an OU) called "Managed Service Accounts"
Servers hosting services that use the accounts
must be R2/Win 7Slide55
Physical SecuritySlide56
Physical Security
The idea is "if I can touch it, I can hurt it"
The top item on many people's security lists… but not always a practical one to accomplish
Servers are often protected…
… but what about in branch offices?
And how can we (realistically) secure workstations – particularly laptops?
And beyond workstations, what about the other things that carry copies of our data?Slide57
Physical Security
using Windows 6 and 7: three technologies
Device installation group policies: "no removable devices allowed on this system"
BitLocker
: encrypts drives, securing
laptops
branch office servers
BitLocker
To Go: encrypts removable devices like USB sticks
Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"Slide58
Physical Security and RODCs
protecting your Active Directory
In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCs
By default, RODCs contain copies of the AD…
… but no passwords
Thus, it's no good if the WAN link's down, but if stolen, it's got nothing we care aboutSlide59
Physical Security and RODCs
why's it good?
RODCs let you "loosen" security a bit
You can put as many or as few passwords onto an RODC as you like
And if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership
Combine it with
Bitlocker
and you're better protectedSlide60
Disaster Recovery / Business ContinuitySlide61
Have A Disaster Plan
the problem
Every organization needs DR and BC plans
"What if we're hacked?"
"What if there's a fire?"
"What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?"
DR plans can be a pain; here's a few thoughtsSlide62
Have A Plan
have simple (but explicit) plans
After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server?
These should be step by step plans
These must be tested beforehand
This is
not
a small job, but it’s necessary and even constitutes training materials for new hiresSlide63
Make DR a Bit Easier w/2008
DR plans are a good idea…but can be so hard to do
Answer: some sort of image backup/"bare metal restore" tool
Many of the big vendors have them
But 2008 includes one:
CompletePC
backupSlide64
Upgrade the Carbon Units
no
technology
can protect us from attachments
Kournikova
worked because users didn’t know better and because we “protect” them from extensions
The weasels only win when users invite them in
Don’t yell, but…user training is the answer
Just 15 minutes of basics about mail and attachments goes a long waySlide65
Stay Informed and Stay Paranoid
www.microsoft.com/security for patches etc.
www.sans.org
www.securityfocus.com
the security pages from whatever apps you rely uponSlide66
Simplify Patching
If "physical" is #1 on many lists, this is probably #2 or #3
WSUS, of course
But don't forget your other technologies
And then there's patching
images
If, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free)Slide67
Related Content
Required Slide
Speakers,
please list the Breakout Sessions,
TLC Interactive Theaters and Labs
that are related to your session. Any queries, please check with your Track Owner.
WCL308:
Deploying Windows 7
BitLocker
in the Enterprise
SIA310:
Cybercrime: A Journey to the Dark Side
SIA202:
Developing a Security Awareness Strategy
SIA201:
Windows 7 Security Overview
SIA302:
Security Management - Integrated Enterprise Security
SIA206:
Microsoft Security Intelligence ReportSlide68
question & answerSlide69
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Required Slide
Speakers,
TechEd 2009 is not producing
a DVD. Please announce that
attendees can
access session
recordings at TechEd Online.
www.microsoft.com/learning
Microsoft Certification and Training
R
esourcesSlide70
Required Slide
Complete a session evaluation and enter to win!
10 pairs of MP3
sunglasses
to be
wonSlide71
©
2009 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Required Slide