Protect Your Windows Network From Perimeter to Databy Jesper M. Johansson and Steve Riley 1 - Introduction to Network Protection Information technology is working properly only when users can stop thinking about how or why it works Security Management is about spending good money to have nothing happen Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability Microsoft Library - Security Center A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns) 2 - Anatomy of a Hack No network is any more secure than the least-secure device connected to it SQL injection is a vulnerability in the application, not the DBMS itself The only proper way to clean a compromised system is to nuke and pave it 3 - Patch Your Systems If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout Use MBSA as a free alternative for patch scanning For small businesses WSUS is recommended, where as SMS is utilized in larger organizations Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update. Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More 4 - Devloping Security Policy Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies Sans Security Policy Center Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions DISA Checklists , STIGs The Site Security Handbook 5 - Educating Those Pesky Users Social Engineering is the art and science of getting people to comply with your wishes Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility" Chance for Ingratiation - "Look at the Reward you will get out of this" Trust Relationships - "He sounds honest, I think I can trust him" Moral Duty - "You've got to help me! Doesn't this make you so mad?" Guilt - "What? You don't want to help me?" Identification - "You and I are really two of a kind, huh?" Desire to be helpful - "Would you help me here, please?" Cooperation - "Let's work together. We can do so much" If Two people know about it, It ain't a secret! Security Awareness Training A good policy for the helpdesk to follow is to use a bogus question or callback mechanism 6 - If you do not have physical security, you do not have security Windows PKI Guides Windows EFS Guide ,EFS should be used on all laptops Adding USB Security Setting name | Location | Default value | Possible values |
|---|
| WriteProtect | HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies | DWORD=0 | 0 - Disabled 1 - Enabled |
Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead 7 - Protecting Your Perimeter Quick Tips: Block all inbound traffic where the source address is in your internal network Block all outbound traffic where the source address isn't in your internal network Block all inbound and outbound traffic with an RFC1918 source or destination Block all source routed traffic Block all fragments (except where IKE VPNs apply) Deperimeterization 8 - Security Dependencies Fundamental Rules for Network Segmentation Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk. To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server 9 - Network Threat Modeling Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privelege 10 - Preventing Rogue Access Inside the Network 802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2). Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP). Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G) ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More Domain Isolation 11 - Passwords and Other Authentication Methods Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets. Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS. Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked. Removing LM Hashes makes cracking the password take 4X longer With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops. 12 - Server and Client Hardening Microsoft Security Guidance User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash. Disable anonymous SID/Name translation Disable anonymous enumeration of SAM accounts and Shares Disable Everyone permissions for anonymous users(Default) Disable Anonymous access to Named Pipes and Shares(Null session access) Disable autoadminlogon Enable SMB Message signing, requires that both clients have signing enabled Recommended to use Send NTLMv2 response only\refuse LM Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers. Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective. Do not audit the use of Backup and Restore privilege, creates to many logs. scwcmd transform, will convert an SCW role into a GPO 13 - Protecting User Applications To get a full list of installed software check this key, it shows more then what you see in add/remove software HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Make every effort to use LUA priveleges Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List All applications must be reviewed for patch levels. 14 - Protecting Services and Server Applications Uninstall unnecessary components, disable unnecessary features To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function. You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More More SQL Server Security Presentation and Checklist IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan 15 - Security for Small Businesses Windows Defender for Spyware, integrated into Vista Vista UAC Documentation Exchange Best Practices Analyzer MS Small Business Security Guidance and More SB Resources 16 - Evaluating Application Security Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed. InCtrl5 and > secedit /generaterollback can be used, along with showaccs SQL Profiler will show you what the SQL server sees coming from the webapp OWASP application testing guides, more SQLsecurity Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13 17 - Data-Protection Mechanisms Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher Windows RMS Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though DPAPI is the replacement
|
