Protect Your Windows Network From Perimeter to Data
by Jesper M. Johansson and Steve Riley
1 - Introduction to Network Protection
Information technology is working properly only when users can stop thinking about how or why it works
Security Management is about spending good money to have nothing happen
Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability
Microsoft Library - Security Center
A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network
To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns)
2 - Anatomy of a Hack
No network is any more secure than the least-secure device connected to it
SQL injection is a vulnerability in the application, not the DBMS itself
The only proper way to clean a compromised system is to nuke and pave it
3 - Patch Your Systems
If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout
Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized
Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout
Use MBSA as a free alternative for patch scanning
For small businesses WSUS is recommended, where as SMS is utilized in larger organizations
Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart
You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update.
Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More
4 - Devloping Security Policy
Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies
Sans Security Policy Center
Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions
DISA Checklists , STIGs
The Site Security Handbook
5 - Educating Those Pesky Users
Social Engineering is the art and science of getting people to comply with your wishes
Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility"
Chance for Ingratiation - "Look at the Reward you will get out of this"
Trust Relationships - "He sounds honest, I think I can trust him"
Moral Duty - "You've got to help me! Doesn't this make you so mad?"
Guilt - "What? You don't want to help me?"
Identification - "You and I are really two of a kind, huh?"
Desire to be helpful - "Would you help me here, please?"
Cooperation - "Let's work together. We can do so much"
If Two people know about it, It ain't a secret!
Security Awareness Training
A good policy for the helpdesk to follow is to use a bogus question or callback mechanism
6 - If you do not have physical security, you do not have security
Windows PKI Guides
Windows EFS Guide ,EFS should be used on all laptops
Adding USB Security
Setting name
Location
Default value
Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled
1 - Enabled
Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead
7 - Protecting Your Perimeter
Quick Tips:
Block all inbound traffic where the source address is in your internal network
Block all outbound traffic where the source address isn't in your internal network
Block all inbound and outbound traffic with an RFC1918 source or destination
Block all source routed traffic
Block all fragments (except where IKE VPNs apply)
Deperimeterization
8 - Security Dependencies
Fundamental Rules for Network Segmentation
Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems
More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems
Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords
Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk.
To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server
9 - Network Threat Modeling
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privelege
10 - Preventing Rogue Access Inside the Network
802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2).
Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP).
Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G)
ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More
Domain Isolation
11 - Passwords and Other Authentication Methods
Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets.
Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS.
Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked.
Removing LM Hashes makes cracking the password take 4X longer
With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops.
12 - Server and Client Hardening
Microsoft Security Guidance
User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash.
Disable anonymous SID/Name translation
Disable anonymous enumeration of SAM accounts and Shares
Disable Everyone permissions for anonymous users(Default)
Disable Anonymous access to Named Pipes and Shares(Null session access)
Disable autoadminlogon
Enable SMB Message signing, requires that both clients have signing enabled
Recommended to use Send NTLMv2 response only\refuse LM
Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers.
Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective.
Do not audit the use of Backup and Restore privilege, creates to many logs.
scwcmd transform, will convert an SCW role into a GPO
13 - Protecting User Applications
To get a full list of installed software check this key, it shows more then what you see in add/remove software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Make every effort to use LUA priveleges
Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook
Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List
All applications must be reviewed for patch levels.
14 - Protecting Services and Server Applications
Uninstall unnecessary components, disable unnecessary features
To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function.
You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More
More SQL Server Security Presentation and Checklist
IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan
15 - Security for Small Businesses
Windows Defender for Spyware, integrated into Vista
Vista UAC Documentation
Exchange Best Practices Analyzer
MS Small Business Security Guidance and More SB Resources
16 - Evaluating Application Security
Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed.
InCtrl5 and > secedit /generaterollback can be used, along with showaccs
SQL Profiler will show you what the SQL server sees coming from the webapp
OWASP application testing guides, more SQLsecurity
Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13
17 - Data-Protection Mechanisms
Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher
Windows RMS
Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though
DPAPI is the replacement
by Jesper M. Johansson and Steve Riley
1 - Introduction to Network Protection
Information technology is working properly only when users can stop thinking about how or why it works
Security Management is about spending good money to have nothing happen
Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability
Microsoft Library - Security Center
A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network
To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns)
2 - Anatomy of a Hack
No network is any more secure than the least-secure device connected to it
SQL injection is a vulnerability in the application, not the DBMS itself
The only proper way to clean a compromised system is to nuke and pave it
3 - Patch Your Systems
If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout
Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized
Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout
Use MBSA as a free alternative for patch scanning
For small businesses WSUS is recommended, where as SMS is utilized in larger organizations
Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart
You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update.
Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More
4 - Devloping Security Policy
Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies
Sans Security Policy Center
Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions
DISA Checklists , STIGs
The Site Security Handbook
5 - Educating Those Pesky Users
Social Engineering is the art and science of getting people to comply with your wishes
Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility"
Chance for Ingratiation - "Look at the Reward you will get out of this"
Trust Relationships - "He sounds honest, I think I can trust him"
Moral Duty - "You've got to help me! Doesn't this make you so mad?"
Guilt - "What? You don't want to help me?"
Identification - "You and I are really two of a kind, huh?"
Desire to be helpful - "Would you help me here, please?"
Cooperation - "Let's work together. We can do so much"
If Two people know about it, It ain't a secret!
Security Awareness Training
A good policy for the helpdesk to follow is to use a bogus question or callback mechanism
6 - If you do not have physical security, you do not have security
Windows PKI Guides
Windows EFS Guide ,EFS should be used on all laptops
Adding USB Security
Setting name
Location
Default value
Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled
1 - Enabled
Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead
7 - Protecting Your Perimeter
Quick Tips:
Block all inbound traffic where the source address is in your internal network
Block all outbound traffic where the source address isn't in your internal network
Block all inbound and outbound traffic with an RFC1918 source or destination
Block all source routed traffic
Block all fragments (except where IKE VPNs apply)
Deperimeterization
8 - Security Dependencies
Fundamental Rules for Network Segmentation
Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems
More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems
Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords
Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk.
To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server
9 - Network Threat Modeling
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privelege
10 - Preventing Rogue Access Inside the Network
802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2).
Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP).
Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G)
ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More
Domain Isolation
11 - Passwords and Other Authentication Methods
Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets.
Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS.
Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked.
Removing LM Hashes makes cracking the password take 4X longer
With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops.
12 - Server and Client Hardening
Microsoft Security Guidance
User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash.
Disable anonymous SID/Name translation
Disable anonymous enumeration of SAM accounts and Shares
Disable Everyone permissions for anonymous users(Default)
Disable Anonymous access to Named Pipes and Shares(Null session access)
Disable autoadminlogon
Enable SMB Message signing, requires that both clients have signing enabled
Recommended to use Send NTLMv2 response only\refuse LM
Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers.
Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective.
Do not audit the use of Backup and Restore privilege, creates to many logs.
scwcmd transform, will convert an SCW role into a GPO
13 - Protecting User Applications
To get a full list of installed software check this key, it shows more then what you see in add/remove software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Make every effort to use LUA priveleges
Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook
Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List
All applications must be reviewed for patch levels.
14 - Protecting Services and Server Applications
Uninstall unnecessary components, disable unnecessary features
To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function.
You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More
More SQL Server Security Presentation and Checklist
IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan
15 - Security for Small Businesses
Windows Defender for Spyware, integrated into Vista
Vista UAC Documentation
Exchange Best Practices Analyzer
MS Small Business Security Guidance and More SB Resources
16 - Evaluating Application Security
Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed.
InCtrl5 and > secedit /generaterollback can be used, along with showaccs
SQL Profiler will show you what the SQL server sees coming from the webapp
OWASP application testing guides, more SQLsecurity
Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13
17 - Data-Protection Mechanisms
Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher
Windows RMS
Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though
DPAPI is the replacement
Comments
Post a Comment