MWR 07073

Information about MWR 07073

Published on June 18, 2007

Author: Charlie

Source: authorstream.com

Content

EDUCAUSE Midwest Regional 2007:  EDUCAUSE Midwest Regional 2007 Effective Security Practices for Higher Education WINDOWS SECURITY John Bruggeman, [email protected] Director of Information Systems Hebrew Union College – Jewish Institute of Religion Presented by: Gary Dobbins, [email protected] Director, Information Security University of Notre Dame Windows Security !:  Windows Security ! Agenda Top Vulnerabilities in Windows Systems (Is there anything new?) Frequent Security mistakes (Avoid being 0wn3d by a b0t) Patching Windows (What happened to cleaning them?) Hardening Windows (Tempered Glass doesn’t count!) Tools and Tips (What do the Pro’s use and Hackers use?) Copyright Notice:  Copyright Notice Copyright John Bruggeman, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Windows Security !?:  Windows Security !? Top Vulnerabilities in Windows Systems From the SANS website www.sans.org Windows Services Internet Explorer Windows Libraries MS Office and Outlook Express Windows Configuration Weaknesses Windows Security !?:  Windows Security !? Top Vulnerabilities in Windows Systems From the SANS website www.sans.org Windows Services Critical Vulnerabilities were discovered in these services in 2005 MSDTC and COM+ (MS05-051) Print Spooler (MS05-043) Plug and Play (MS05-047, 039) Server Message Block Service (MS05-027, 011) Exchange SMTP Service (MS05-021) Message Queuing Service (MS05-017) License Logging Service (MS05-010) What to do? Disable Service if possible Scan for Vulnerabilities PATCH Windows Security !?:  Windows Security !? From the SANS Website www.sans.org 2) Internet Explorer Multiple vulnerabilities were discovered in 2005 in IE Cummulative Security Patch (MS05-052, 038, 025, 020, 014,) JView Profile Remote Code Execution (MS05-037) Windows Shell Remote Code Execution (MS05-008) How to mitigate On XP, install SP2 On 2000, NT, keep patches current Use DropMyRights from MS to lower IE privileges Check your Broswer Helper Objects (BHO) for spyware Disable Scripting and ActiveX Windows Security !?:  Windows Security !? From the SANS Website www.sans.org 3) Windows Libraries DLL’s can have buffer overflow vulnerabilities Vulnerabilties discovered in 2005 Windows Graphic Rendering Engine (MS05-053) Microsoft Direct Show (MS05-036) HTML Help remote code exec (MS05-026, 001) Web View remote code exec (MS05-024) Windows Shell remote code (MS05-049, 016) PNG Image Processing remote code (MS05-009) Patch your system and scan for vulnerabitlites Use least privileges where possible Filter IP ports 135-139, 445, Use an IPS and IDS Windows Security !?:  Windows Security !? From the SANS Website www.sans.org 4) MS Office and Outlook Express Attack vectors are email attachments, website documents, and news servers Several critical vulnerabilities in 2005 Cumulative Security for Outlook Express (MS05-030) Microsoft OLE and COM remote (MS05-012) MS Office XP remote code exec (MS05-005) MS Access – no patch yet available Check your systems with a vulnerability scanner Mitigate by patching, disable IE feature of opening Office documents Configure Outlook with enhanced security Windows Security !?:  Windows Security !? From the SANS Website www.sans.org 5) Windows configuration Weaknesses Weak passwords on accounts or network shares LAN Manager hashes are weak and should be replaced with stronger more current hash techniques Default configuration for servers and applications can open machines to password guessing. MSDE ships with SA account set with a blank password. Several worms take advantage of this, Voyager, Alpha Force, SQL Spida use known weak configurations to spread Enforce a strong password policy Prevent Windows from storing the LM hash in AD or the SAM Disable NULL shares and restrict anonymous access Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Deirdre Hurley www.sans.org/reading_room/whitepapers/windows/1016.php Allowing Null Sessions Weak Lockout Policies Weak Account Policies Multiple Trust relationships Multiple Domain admin accounts Audit logs turned off Automatic Updates turned off Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Allowing Null Sessions What is a Null session? Net use \\10.1.1.1\ipc$ '' /user:'' So what? You can download usernames, login information, lockout policy information, etc. How do you disable one? MS Security Policy MMC snap-in Update registry key \\HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous Tools to test www.securityfriday.com/tools/GetAcct.html Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Weak Lockout Policies If you don’t have one then brute force attacks can succeed If you do have one it becomes more difficult Suggested levels Enable Account Lockout Threshold at 5 attempts Enable Account Lockout Duration to 30 minutes Disable Reset Account Lockout Threshold after Also, enable Administrator account lockout Get the ADSI Edit Snap-in from Windows 2000 support tools http://support.microsoft.com/kb/885119/en-us Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Weak Account Policies Be aware, local account policies on 2000 over ride domain account policies Some admins create local users to match domain users Forget to set the local Administrator password, sometimes leaving it blank General rules for accounts and passwords Maximum password age 90 days Minimum password age 5 days Minimum password length of at least 7 characters, 14 for Administrators Password Uniqueness – remember 13 passwords Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Multiple Trust relationships Limit the number of trusts in your domain Fewer gaps, less that has to be guarded Windows 2000 Tool to find out what trusts you have NT Resource Kit - NLTEST Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Multiple Domain admin accounts Avoid the mistake of having three or four (or more) Domain accounts, or having domain privileges with 'normal' users Use the practice of least privileges for all accounts Change default passwords for typical accounts Backup software ArcServe, Tivoli, BackupExec Test accounts Test, dummy, Lab accounts Administrator accounts Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Audit logs turned off By default audit logs are turned off Hackers have tools like DUMPACL and DumpSec to find out if auditing is turned on or off Recommend settings for Auditing Account logon events (Success and Failures) Logon Events Account Management Policy Changes System Events Object Access (Success and Failures) Files, folders, and registry keys must then be set Windows Security !?%:  Windows Security !?% Frequent Mistakes made in Windows Security Updates turned off SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities. SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit. Need to patch systems and keep them current Does require a patch management strategy Will require time Payoff is less downtime Windows Security !?%#:  Windows Security !?%# Patching Windows Rod Gode, UC Davis IT Security Symposium 2005 What to Patch and How to Patch Options Commercial Microsoft Provided Deployment and Testing Get some test machines Verification MBSA Windows Security !?%#:  Windows Security !?%# Patching Windows What to Patch OS Applications BIOS Firmware Types of Patches from MS Hotfix, Update, Critical Update, Security Patch, Update Roll-up, Service Pack Windows Security !?%#:  How to Patch Develop a Plan Hardware and Software Inventory Patch management Policy andamp; Process Include a notification process Track andamp; check patch level Download and test patches prior to deployment Deploy patches Audit workstations for compliance Windows Security !?%# Windows Security !?%#:  How to Patch Tools from Microsoft (MS) Analysis tool from MS, Microsoft Baseline Security Analyzer (MBSA) Online update services – Microsoft Update, Windows Update, or Download Center Push / Management tools WSUS server, SMS server, Group Policies Windows Security !?%# Windows Security !?%#:  How to Patch Tools from Microsoft Microsoft Update is different than Windows Update MU updates all MS products not just windows Office updates, Server product patches WSUS is updated SUS server New version coming out, WSUS 3.0 in Beta now www.microsoft.com/wsus Target client installs, selective client patching, uninstall options Windows Security !?%# Windows Security !?%#:  How to Patch Commercial Tools Altiris Patch Management www.altiris.com BigFix Patch Manager www.bigfix.com Ecora Patch Manager www.ecora.com LanDesk Patch Management www.landesk.com Windows Security !?%# Windows Security !?%#:  Deployment Options WSUS and SMS Group Policy options (2000 andamp; XP only) Create an Install Package (MSI file) containing the patch, see KB article 257718 on how to do this Store the MSI file on a network share Assign the patch to groups via a group policy Chose the assigned publishing method Patch will be installed on assigned computers using the Windows installed program Slipstream Create an image w/ service packs and patches Windows Security !?%# Windows Security !?%#:  Testing and Verification Patch systems are not perfect, you need to test after patches have been applied Tools Microsoft Baseline Security Analyzer 2.0 Used for Windows 2000 + SP3 and later Office XP and later Exchange 2000 and later Microsoft Baseline Security Analyzer 1.2.1 Office 200 Exchange 5.0 and 5.5 Windows Security !?%# Windows Security !?%#:  Testing and Verification Commercial Tools BindView - www.bindview.com Computer Associates - www.ca.com Network Associates – www.nai.com Symantec – www.symantec.com Trend Micro – www.trendmicro.com Foundstone – www.foundstone.com Windows Security !?%# Windows Security !!:  Windows Security !! Hardening Windows Advanced Information Assurance Handbook, CERT Hardening techniques Limit services Limit applications Limit protocols Intrusion Protection techniques Software options to monitor file changes Host based firewalls Tools from Microsoft Windows Security !!:  Windows Security !! Hardening Windows Hardening techniques Limit services Verify what services are needed On servers, usually these can be disable IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others. On workstations disable unless needed Fax service, Indexing service, messenger, Telnet, others Enable firewall Windows Security !!:  Windows Security !! Hardening Windows Hardening techniques Limit applications Verify what applications are needed, many can be removed without impacting functionality On servers, usually you can remove the following Outlook Express, IIS, Media Player, Journal viewer, Games, POSIX, OS2 subsystem On workstations, usually you can remove the same Limit what applications end users can run Do not allow end users to install applications Windows Security !!:  Windows Security !! Hardening Windows Hardening techniques Limit protocols Verify what protocols are needed for your network On servers normally TCP/IP is sufficient On workstations normally TCP/IP is all that is needed Remove IPX/SPX, NetBios, Limit Network devices Bluetooth (disable unless needed) Wireless (disable unless needed) Firewire (disable unless needed) Windows Security !!:  Windows Security !! Hardening Windows Firewalls Host based firewalls Server options Windows 2003 SP1 firewall option Workstation options XP SP2, ZoneAlarm, Tiny Personal Firewall 85 listed on Download.com IPSEC Encrypt traffic from host to host Windows Security !!:  Windows Security !! Hardening Windows Intrusion Protection Systems IPS vs IDS Why detect when you can protect? Signature vs Anomoly IPS can be host or network based IPS Host options EEye BLINK, Prevx Home IDS host options SFC System File Check from MS (can be spoofed) LanGuard IPS Network options Forescout, Tipping Point, McAfee, ISS are options Windows Security !!:  Windows Security !! Hardening Windows Tools from Microsoft www.microsoft.com/technet/security/tools MBSA 2.0 Microsoft Enterprise Scan Tool Security Assessment Tool IIS Lockdown Tool Hardens ISS URLScan Security Tool Included in IIS lockdown tool Cipher Security Tool Shredder for deleted files Port Reporter Logging tool for TCP and UDP activity on XP, 2003, 2000 Tripwire (or OSSEC) Windows Security :-):  Windows Security :-) Tools and Techniques Shareware tools MetaSploit Framework for testing exploits Nessus Scanning tool to check for vulnerabilities Ethereal Packet sniffer Windows Security :-):  Windows Security :-) Tools and Techniques Shareware Tools MetaSploit DEMO Nessus DEMO Ethereal DEMO Windows Security :-):  Windows Security :-) Resources www.educause.edu/security www.microsoft.com/technet/security www.sans.org/reading_room/whitepapers/windows www.securityfriday.com www.cert.org www.hackingexposed www.incidents.org

Related presentations


Other presentations created by Charlie

Personality Development
17. 11. 2007
0 views

Personality Development

History of Plastics
30. 04. 2008
0 views

History of Plastics

Juniper Networks 22 Nov 2005
28. 04. 2008
0 views

Juniper Networks 22 Nov 2005

CA Communications 02 20 08
18. 04. 2008
0 views

CA Communications 02 20 08

BharAloutlookISRI
17. 04. 2008
0 views

BharAloutlookISRI

direct basis
16. 04. 2008
0 views

direct basis

AnEconomicHistory English
14. 04. 2008
0 views

AnEconomicHistory English

Chap002
13. 04. 2008
0 views

Chap002

Financial Crisis
10. 04. 2008
0 views

Financial Crisis

NATO Today
23. 12. 2007
0 views

NATO Today

TM photo pp ppt
08. 10. 2007
0 views

TM photo pp ppt

2007 seminar 3
12. 10. 2007
0 views

2007 seminar 3

Roalddahl
12. 10. 2007
0 views

Roalddahl

micro credit presentation
15. 10. 2007
0 views

micro credit presentation

lecture 9 12 proteins 2007
16. 10. 2007
0 views

lecture 9 12 proteins 2007

Spanish American War
22. 10. 2007
0 views

Spanish American War

ppw 6 28 04
07. 10. 2007
0 views

ppw 6 28 04

PP2
23. 10. 2007
0 views

PP2

KATRINA TEACHERS GUIDEpr
04. 09. 2007
0 views

KATRINA TEACHERS GUIDEpr

ECA Knowledge Fair
31. 08. 2007
0 views

ECA Knowledge Fair

Automatic Indexing
31. 08. 2007
0 views

Automatic Indexing

ROLE OF JOURNALISTS UNION
31. 08. 2007
0 views

ROLE OF JOURNALISTS UNION

wendy
15. 11. 2007
0 views

wendy

Maximize Access Coverage
28. 11. 2007
0 views

Maximize Access Coverage

Notable Arborists
02. 10. 2007
0 views

Notable Arborists

INDEX OF SEGREGATION
07. 12. 2007
0 views

INDEX OF SEGREGATION

wilhelm2
04. 01. 2008
0 views

wilhelm2

FV1 day1
07. 01. 2008
0 views

FV1 day1

berdai
23. 10. 2007
0 views

berdai

weddings
11. 12. 2007
0 views

weddings

McDowell
29. 10. 2007
0 views

McDowell

usa jl
13. 11. 2007
0 views

usa jl

Construccion de un NOM
24. 10. 2007
0 views

Construccion de un NOM

TuLiP Overview
04. 09. 2007
0 views

TuLiP Overview

tulip
04. 09. 2007
0 views

tulip

HawaiiPresentation
17. 12. 2007
0 views

HawaiiPresentation

ompi tm cas 04 5
23. 10. 2007
0 views

ompi tm cas 04 5

Chapter12
03. 10. 2007
0 views

Chapter12

asian inc
29. 10. 2007
0 views

asian inc

Mat Prod L10
14. 02. 2008
0 views

Mat Prod L10

featurefilm
17. 10. 2007
0 views

featurefilm

EJ Genetic Research
24. 02. 2008
0 views

EJ Genetic Research

badagliacco
24. 02. 2008
0 views

badagliacco

Science and Warfare Lecture 1
26. 02. 2008
0 views

Science and Warfare Lecture 1

AHCIVI 1
27. 02. 2008
0 views

AHCIVI 1

student pressentation mngn
07. 11. 2007
0 views

student pressentation mngn

trucks 4 comm
28. 02. 2008
0 views

trucks 4 comm

bioweapons
04. 03. 2008
0 views

bioweapons

2007EMSVaccinationTr aining
10. 03. 2008
0 views

2007EMSVaccinationTr aining

Mehta diving and the environment
11. 03. 2008
0 views

Mehta diving and the environment

Perform Basis06 A0 en last
25. 03. 2008
0 views

Perform Basis06 A0 en last

wttcsantiago2007
26. 03. 2008
0 views

wttcsantiago2007

Living on Mars
07. 04. 2008
0 views

Living on Mars

lect22 handout
15. 10. 2007
0 views

lect22 handout

pedagogy
04. 09. 2007
0 views

pedagogy

FEE dev IHEP
31. 08. 2007
0 views

FEE dev IHEP

Rong Gen Cai
01. 12. 2007
0 views

Rong Gen Cai

mps break st louis
18. 06. 2007
0 views

mps break st louis

Moving on with Statistics
19. 06. 2007
0 views

Moving on with Statistics

Module 2 TAKS05
19. 06. 2007
0 views

Module 2 TAKS05

microsoft office overview
19. 06. 2007
0 views

microsoft office overview

Math in Middle School
19. 06. 2007
0 views

Math in Middle School

Math Concordance Show
19. 06. 2007
0 views

Math Concordance Show

Mary George
19. 06. 2007
0 views

Mary George

Lower Division
19. 06. 2007
0 views

Lower Division

Lecture Amiens
19. 06. 2007
0 views

Lecture Amiens

lady adalovelace
19. 06. 2007
0 views

lady adalovelace

Kelm
31. 08. 2007
0 views

Kelm

Oct06 CAC Presentation1
18. 06. 2007
0 views

Oct06 CAC Presentation1

NLI 0460
18. 06. 2007
0 views

NLI 0460

nicholas
18. 06. 2007
0 views

nicholas

NCLB Highly Qualified
18. 06. 2007
0 views

NCLB Highly Qualified

NCLB An dE Rate1029
18. 06. 2007
0 views

NCLB An dE Rate1029

mtts product show
18. 06. 2007
0 views

mtts product show

OMSC
18. 06. 2007
0 views

OMSC

PACA 16 de agosto
22. 10. 2007
0 views

PACA 16 de agosto

dh firenze
19. 10. 2007
0 views

dh firenze

gridpp16 servicechallenges
24. 10. 2007
0 views

gridpp16 servicechallenges

lwi
19. 06. 2007
0 views

lwi

AnLiu IDAR07 nocomment
12. 10. 2007
0 views

AnLiu IDAR07 nocomment

VoIPSlides
12. 03. 2008
0 views

VoIPSlides

3 Russia 05
26. 10. 2007
0 views

3 Russia 05

Lynnand Marsha
19. 06. 2007
0 views

Lynnand Marsha

07 0314 k ahuja
28. 09. 2007
0 views

07 0314 k ahuja

PresJMorales
22. 10. 2007
0 views

PresJMorales

Math TEKS K5
19. 06. 2007
0 views

Math TEKS K5

me579 16 internetMC
15. 11. 2007
0 views

me579 16 internetMC

Briars
04. 09. 2007
0 views

Briars

Esm Juny 05 IESE tcm48 42493
01. 10. 2007
0 views

Esm Juny 05 IESE tcm48 42493

CESARE PACIOTTI
10. 10. 2007
0 views

CESARE PACIOTTI

kep engl2007
15. 10. 2007
0 views

kep engl2007

LCG Switzerland Phase 2
19. 10. 2007
0 views

LCG Switzerland Phase 2

stoddart
06. 03. 2008
0 views

stoddart

Ch Kor Symp00
13. 10. 2007
0 views

Ch Kor Symp00

xps seminar jan e
19. 06. 2007
0 views

xps seminar jan e

soda3
03. 01. 2008
0 views

soda3

nys status Report 2006 2007
18. 06. 2007
0 views

nys status Report 2006 2007

JOSB
21. 11. 2007
0 views

JOSB

raffo phdthesis
07. 10. 2007
0 views

raffo phdthesis

parolari
03. 01. 2008
0 views

parolari

bailey
23. 10. 2007
0 views

bailey