Thursday, August 30, 2007

Protect Your Windows Network

Protect Your Windows Network From Perimeter to Data

by Jesper M. Johansson and Steve Riley

1 - Introduction to Network Protection

Information technology is working properly only when users can stop thinking about how or why it works

Security Management is about spending good money to have nothing happen

Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability

Microsoft Library - Security Center

A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network

To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns)

2 - Anatomy of a Hack

No network is any more secure than the least-secure device connected to it

SQL injection is a vulnerability in the application, not the DBMS itself

The only proper way to clean a compromised system is to nuke and pave it

3 - Patch Your Systems

If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout

Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized

Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout

Use MBSA as a free alternative for patch scanning

For small businesses WSUS is recommended, where as SMS is utilized in larger organizations

Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart

You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update.

Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More

4 - Devloping Security Policy

Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies

Sans Security Policy Center

Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions

DISA Checklists , STIGs

The Site Security Handbook

5 - Educating Those Pesky Users

Social Engineering is the art and science of getting people to comply with your wishes

Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility"

Chance for Ingratiation - "Look at the Reward you will get out of this"

Trust Relationships - "He sounds honest, I think I can trust him"

Moral Duty - "You've got to help me! Doesn't this make you so mad?"

Guilt - "What? You don't want to help me?"

Identification - "You and I are really two of a kind, huh?"

Desire to be helpful - "Would you help me here, please?"

Cooperation - "Let's work together. We can do so much"

If Two people know about it, It ain't a secret!

Security Awareness Training

A good policy for the helpdesk to follow is to use a bogus question or callback mechanism

6 - If you do not have physical security, you do not have security

Windows PKI Guides

Windows EFS Guide ,EFS should be used on all laptops

Adding USB Security

Setting name


Default value

Possible values


CurrentControlSet\Control \StorageDevicePolicies


0 - Disabled

1 - Enabled

Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead

7 - Protecting Your Perimeter

Quick Tips:

Block all inbound traffic where the source address is in your internal network

Block all outbound traffic where the source address isn't in your internal network

Block all inbound and outbound traffic with an RFC1918 source or destination

Block all source routed traffic

Block all fragments (except where IKE VPNs apply)


8 - Security Dependencies

Fundamental Rules for Network Segmentation

Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems

More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems

Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords

Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk.

To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server

9 - Network Threat Modeling




Information Disclosure

Denial of Service

Elevation of privelege

10 - Preventing Rogue Access Inside the Network

802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2).

Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP).

Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G)

ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More

Domain Isolation

11 - Passwords and Other Authentication Methods

Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets.

Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS.

Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked.

Removing LM Hashes makes cracking the password take 4X longer

With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops.

12 - Server and Client Hardening

Microsoft Security Guidance

User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash.

Disable anonymous SID/Name translation

Disable anonymous enumeration of SAM accounts and Shares

Disable Everyone permissions for anonymous users(Default)

Disable Anonymous access to Named Pipes and Shares(Null session access)

Disable autoadminlogon

Enable SMB Message signing, requires that both clients have signing enabled

Recommended to use Send NTLMv2 response only\refuse LM

Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers.

Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective.

Do not audit the use of Backup and Restore privilege, creates to many logs.

scwcmd transform, will convert an SCW role into a GPO

13 - Protecting User Applications

To get a full list of installed software check this key, it shows more then what you see in add/remove software


Make every effort to use LUA priveleges

Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook

Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List

All applications must be reviewed for patch levels.

14 - Protecting Services and Server Applications

Uninstall unnecessary components, disable unnecessary features

To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function.

You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More

More SQL Server Security Presentation and Checklist

IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan

15 - Security for Small Businesses

Windows Defender for Spyware, integrated into Vista

Vista UAC Documentation

Exchange Best Practices Analyzer

MS Small Business Security Guidance and More SB Resources

16 - Evaluating Application Security

Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed.

InCtrl5 and > secedit /generaterollback can be used, along with showaccs

SQL Profiler will show you what the SQL server sees coming from the webapp

OWASP application testing guides, more SQLsecurity

Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13

17 - Data-Protection Mechanisms

Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher

Windows RMS

Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though

DPAPI is the replacement

No comments:

Post a Comment