12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, - PowerPoint Presentation

435 views
Uploaded On 2018-01-30

12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, - PPT Presentation

Tomasz Zukowski Inobits Consulting Session Code WSV301 Question How many of you do security at your company Question How many of you ASKED to do security at your company Whats This Talk All About ID: 626466

passwords security 2008 windows security passwords windows 2008 microsoft policies service services password system account administrator good ntlm accounts

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/626466" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "12 Tips to Secure Your Windows Systems, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1
Slide2

12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, and Windows 7 Change the Game

Tomasz Zukowski

Inobits Consulting

Session Code: WSV301Slide3

Question:

How many of you do security at your company?Slide4

Question:

How many of you ASKED to do security at your company?Slide5

What's This Talk All About?

Several things

Review the fundamentals, but with a fresh "2009 perspective"

A chance to help you in the ongoing battle to convince our users that security matters

If you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wiseSlide6

Why Security Matters

Protecting company assets, of course

But the Internet adds a new dynamic

Computers are “levers” when it comes to data; when things are good, they’re very good, and when they’re bad, they’re very bad – and get worse quickly!

There are also the matters of

public

security, which is another very good reason to careSlide7

Twelve Tips

You are a risk manager

Write a security policy

Passwords

Authenticate right

Stomp Administrator

Auditing and logs

Nail the services… or the developers

Physical security

Have A DR Plan

Upgrade the carbon units

Stay informed

Patch!Slide8

Risk AnalysisSlide9

Security’s a Tradeoff…

… like everything else in business

You

cannot

make your system completely secure

We accept and absorb risks all the timeSlide10

Security Has A Price

IT’s job versus security’s job

Many “hardening” techniques will cause software to breakSlide11

Write a Security Policy

one on paper, that is

We’re talking here about protecting the organization from destruction, so…

This only works if management’s on board

Must have a written security policy

Must have a few items that, well, could cause termination

If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work late

Good sample policies at http://www.sans.org/resources/policies/Slide12

Practical Talk About Passwords

“Bad passwords always beat good security”Slide13

Passwords – the stakes

Passwords are

for most of us in terms of identifying ourselves to the network

Bad guys just need

one

account, not all of them

Passwords are a

carbon

-based issue, not a

silicon

-based issue

Again, get the users on board, or it's likely that no password technology will ever workSlide14

Passwords – the modern facts

Passwords are attacked in several ways

Shoulder surfing

Post-Its

They’re yelled across a room

Someone steals your password “hashes” and cracks them

Someone tries repeatedly to log on with different passwords

Note that only the last two are technologicalSlide15

A Bit of Technicals on Passwords

Computers don't store your password; they convert it to a 128 bit "hash" and store that

"Open Sesame"

Any of many mathematical processes called a "hash function"

0F725ACD85C6390EE6F218C7D382C552

This

is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy)Slide16

How Bad Guys Get Your Hash

Physical access to your system

Guessing it

But that means trying 2

128

possibilities, which is still computationally unlikely – at a million/second, it'd take 10

years, and even Moore's Law won't crack that for a while

Guessing it

with a hint

… now,

that

might be possible!Slide17

Hint Sources

Structural limitations on passwords

The 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must go

Hashes come from human-chosen passwords and humans tend not to create passwords like

"6$^^

-()()()()(7Ghala"

Worse yet, many people restrict themselves to personal info or English words

This

is how the bad guys get passwords!Slide18
Slide19

Protecting Your Passwords

Get your users to create useful, non-trivial passwords

Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasons

Avoid complex passwords

Train users to avoid simple English words

Get rid of LM

now

. Really…

now

Group policies will do it

Most systems will not have a compatibility problem, but check

NASes

and network-attached printersSlide20

Win 6/7 and LMAfter telling us to rid our networks of LM-related stuff for ten years, Microsoft took

a big step…

… Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes

or authentication

at all

You couldn't create an LM hash with Vista if you wanted to!Slide21

The Dumbest Passwords

I've

got

to stress this…

In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes:

A name associated with you or your organization

A date associated with you or your organization

A dictionary word

BTW, just adding a number or a capital adds no more than a few minutes to the time

People with these passwords must, sadly, be sterilizedSlide22

12 Characters? Are You Crazy?

I advocate 12 character minimum password length… more length makes up for a "no complexity" requirement

Only requires a bit of user education on the "passphrase”

12 lowercase letters = 95,428,956,661,682,176 possibilities

Try a million a second, it’ll take 300 centuriesSlide23

The Ultimate Password

Remember why English word passwords are childishly simple to crack?

They weren't 12 years ago

As Moore's Law strides on, one day any eight-character password, no matter how obscure, will be

crackable

in an hour or so

And then what do we do?

Answer: PKI… so put that on your "things to figure out in the next couple of years" list

WS08 R2 Authentication Mechanism AssuranceSlide24

Watch Your Authentication ProtocolsSlide25

Why They Matter

When you log on, your system decides under-the-hood how to authenticate with a domain controller – either

NTLM

NTLM v2

Kerberos

Even in an AD world, the top three get used… and you really want to avoid thatSlide26

What? Not Use Kerberos?

Even in an AD-centric network, you may not

get Kerberos

NET USE to an IP address

Connect to a workgroup system on Windows of any version

Connect to a pre-2000 system

Failover from a busy DC

Badly-written apps (any apps older than 7 years?)

Intranet site not added to "local intranet" zone

Nowadays we really want to de-NTLM our networks as much as possibleSlide27
Slide28

Kerberos Logon vs NTLM Logon

How you know you're NTLM-ing:

Can't join machines to domains

Don't get group policies

Netmon traces show NTLM, not Kerberos traffic

Tracking this stuff down by hand is a pain, so Windows 7/Server 2008 R2 offer some new group policiesSlide29

NTLM Restriction Policies

Essentially these new policies let you first track and then block NTLM logons

There are basically three policies, each with an "audit" and a "block" option:

Incoming NTLM traffic (server tracking)

Outgoing NTLM traffic (client tracking)

Domain traffic (DC tracking)

Create new logs of source "NTLM," numbers 8001, 8002, 8003, 8004Slide30
Slide31

Windows 6/7 Crypto Changes

Windows Vista/2008 adds AES

Needs 2008 DFL

Happens automatically upon shift to 2008 DFL

Server 2003 R2 and earlier DCs cannot employ AES

Side-effect: win 6/7 systems will always fail in their first logon attempt, that is normal!Slide32

Handling Admin Accounts and Eliminating "Administrator"Slide33

Creating Good Admin Passwordswithout having to stress the users

Having someone crack one of

our

(administrator) passwords would be bad

One answer: set up different password policies for members of the Domain Administrators group from the policy for non-

admins

Possible in 2008 and 2008 R2 with "password settings objects"

Needs 2008 DFL, good tool to utilize it at

www.joeware.net

(

PSOMgr

)Slide34

PSOMgr.exeSlide35

Stomping Administratorthe account, that is

Local “Administrator” account is

accountable

Rename it

Prohibit insiders from using it also

(Otherwise, auditing is pointless)

Give people’s accounts the admin privileges that they need … no more

Then assume that people using Administrator have no good in mind – make using it a

firing

offense!

No real need for Administrator acct any moreSlide36

Stomping Administrator

Randomize the admin password

net user administrator /domain /random>nul

It doesn’t hurt to rename the account in any case

If using 2003 or 2008, you can

create a smart card for the Administrator account

force the Administrator account to only be able to log on with the card – ctrl-alt-del won’t work

lock up the card and disperse the PINSlide37

Don’t Spend All Day As Admin

Tempting to be logged in all day as an administrator

Workaround:

runas

command, although truthfully it's a pain

Works best when shift-right-clicking a menu item

But there's a better way…Slide38

What About UAC?

In a sense, it's a "reverse Run As"

You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful one

People find it annoying… but I really recommend that you keep it in place

In silent mode, it essentially automates the "two account switch" trick

Once you understand UAC, it can be very useful, so give it a second lookSlide39

Audit Your NetworkSlide40

Windows Auditing

It's been around forever, but isn't always used

Why use it?

After-the-fact forensics

Helpful in compliance situations (HIPAA, SOX)

Treat logs policy-wise the way you treat money accounting records

Biggest pain is collecting and archiving the Security logs, as there's one on every workstation and serverSlide41

Auditing and Logs

what modern Windows offers

Fine-tune who you're auditing with

auditusr

, which first appeared in XP SP2 and 2003 SP1/R2

In Vista and later, it's called "

auditpol

" and has different syntax

Easily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions”Slide42

Auditing And Logs

some fairly big news in Windows auditing in Win 7/R2

More auditable stuff: 9 categories in Vista…

… 54 in Windows 7/R2

To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder

"Global SACL" or "Global object access auditing" completely changes object auditing

Use either group policies or

auditpol

to enable

"Reason for access" reportingSlide43
Slide44

Securing ServicesSlide45

Securing Services

Whenever there's a headline-grabbing security attack, there's a compromised service behind it

There have traditionally been three things you can do to reduce services' vulnerabilities

Disable the unnecessary ones

Minimize the remaining ones' privileges

Minimize the remaining ones' permissions

XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' securitySlide46

Services, Phase Onedisable unnecessary ones

Much less necessary with Vista/2008

Messenger, clipbook, alerter services gone

Other services are isolated in a separate Terminal Services session and so cannot interact with the desktop

(Only bad part – causes some pre-Vista print drivers to fail)Slide47

Services, Phase 2

de-fang the services that you leave running

Services run not as you, but as some account – probably System, which is all-powerful

Thus, any damage that they can do is limited by the permissions on that account

Unfortunately that’s usually System

Vista/2008 includes a built-in feature that reduces much of System's powerSlide48

Services, Phase 2

finding out if your

devs

have been lazy

The problem is that not every developer exploits it

Way to find out: open an elevated command prompt and type

qprivs

servicename

If you don't get a list of privileges, that service has not been secured – so yell at the developer!Slide49
Slide50

Services, Phase 3

reducing their power with service isolation

"System" has all-encompassing file permissions

Vista/2008 take it a step further with "service isolation"

Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything else

Test: "

qsidtype

servicename

" – you want to see "SERVICE_SID_TYPE: RESTRICTED"

If not… whack the developers!

(Hey, if you've got Win 6/7, you've already paid for this!)Slide51

Managed Service AccountsBackground: what problem does this solve?

Services must run under an account, and

LocalSystem

LocalService

NetworkService

can't

always do the job

IIS, Exchange, SQL are some common examples

In that case, techies need to create accounts to act as service accounts

That works fine, except for the issue of passwords: they need regular changing or services stop workingSlide52

Managed Service AccountsAnswer: managed service accounts

New class of accounts

Sorta

user accounts,

sorta

machine accounts

(new icon)

You:

Create one on the domain

"Install" it on the member server

Configure the service so that it logs on as that account, and from there password updates etc are automatic

Need one account / memberSlide53

Managed Service AccountsPassword details

240-character passwords created

Ignore group policies about passwords and ignore fine-grained password policies

Automatically handle password changes

every 30 daysSlide54

Managed Service AccountsRequirements/details

Requires at least one 2008 R2 DC

(which means a 2008 R2 schema on the forest)

Requires AD

Powershell

(and therefore AD Web Service) to create accounts

Live in their own new folder (not an OU) called "Managed Service Accounts"

Servers hosting services that use the accounts

must be R2/Win 7Slide55

Physical SecuritySlide56

Physical Security

The idea is "if I can touch it, I can hurt it"

The top item on many people's security lists… but not always a practical one to accomplish

Servers are often protected…

… but what about in branch offices?

And how can we (realistically) secure workstations – particularly laptops?

And beyond workstations, what about the other things that carry copies of our data?Slide57

Physical Security

using Windows 6 and 7: three technologies

Device installation group policies: "no removable devices allowed on this system"

BitLocker

: encrypts drives, securing

laptops

branch office servers

BitLocker

To Go: encrypts removable devices like USB sticks

Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"Slide58

Physical Security and RODCs

protecting your Active Directory

In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCs

By default, RODCs contain copies of the AD…

… but no passwords

Thus, it's no good if the WAN link's down, but if stolen, it's got nothing we care aboutSlide59

Physical Security and RODCs

why's it good?

RODCs let you "loosen" security a bit

You can put as many or as few passwords onto an RODC as you like

And if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership

Combine it with

Bitlocker

and you're better protectedSlide60

Disaster Recovery / Business ContinuitySlide61

Have A Disaster Plan

the problem

Every organization needs DR and BC plans

"What if we're hacked?"

"What if there's a fire?"

"What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?"

DR plans can be a pain; here's a few thoughtsSlide62

Have A Plan

have simple (but explicit) plans

After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server?

These should be step by step plans

These must be tested beforehand

This is

not

a small job, but it’s necessary and even constitutes training materials for new hiresSlide63

Make DR a Bit Easier w/2008

DR plans are a good idea…but can be so hard to do

Answer: some sort of image backup/"bare metal restore" tool

Many of the big vendors have them

But 2008 includes one:

CompletePC

backupSlide64

Upgrade the Carbon Units

technology

can protect us from attachments

Kournikova

worked because users didn’t know better and because we “protect” them from extensions

The weasels only win when users invite them in

Don’t yell, but…user training is the answer

Just 15 minutes of basics about mail and attachments goes a long waySlide65

Stay Informed and Stay Paranoid

www.microsoft.com/security for patches etc.

www.sans.org

www.securityfocus.com

the security pages from whatever apps you rely uponSlide66

Simplify Patching

If "physical" is #1 on many lists, this is probably #2 or #3

WSUS, of course

But don't forget your other technologies

And then there's patching

images

If, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free)Slide67