Applied Security
Strategies
Michael Anderberg
Senior Systems Engineer, Windows Platform
Microsoft AB
Session Prerequisites




Understanding of enterprise security
challenges
Knowledge of securing computers by
using Group Policy
Understanding of remote access basics
Knowledge of how to apply security
patches
Level 300
Agenda




Introduction
Real-World Patch Management Strategies
Real-World Remote Access Strategies
Troubleshooting Security Configurations
Defense in Depth

Using a layered approach:


Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
ACL, encryption
Application hardening, antivirus
OS hardening, update management,
authentication, HIDS
Network segments, IPSec, NIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
User education
Common Security Challenges



Patch management: beyond the basics
Remote access security
Troubleshooting security policies
Agenda




Introduction
Real-World Patch Management Strategies
Real-World Remote Access Strategies
Troubleshooting Security Configurations
Importance of Proactive Patch
Management
Attack Name
Date
Publicly
Discovered
MSRC
Severity
MSRC
Bulletin
MSRC
Bulletin
Date
Days
Available
Before
Attack
Trojan.Kaht
5-May-03
Critical
MS03-007 17-Mar-03
49
SQL
Slammer
24-Jan-03
Critical
MS02-039 24-July-02
184
Klez-E
17-Jan-02
18-Sep-01
16-Jul-01
N/A
N/A
N/A
MS01-020 29-Mar-01
MS01-078 17-Oct-00
MS01-033 18-Jun-01
294
336
28
Nimda
Code Red
Patch Management Process
1. Assess Environment to be Patched
2. Identify New Patches
Periodic Tasks
A. Create/maintain baseline of systems
B. Assess patch management
architecture
C. Review infrastructure/
configuration
Tasks
A. Identify new patches
B. Determine patch relevance
C. Verify patch authenticity and
integrity
1. Assess
2. Identify
4. Deploy
3.
Evaluate
and Plan
Ongoing Tasks
A. Discover assets
B. Inventory clients
4. Deploy the Patch
Tasks
A. Distribute and install patch
B. Report on progress
C. Handle exceptions
D. Review deployment
3. Evaluate and Plan
Patch Deployment
Tasks
A. Obtain approval to deploy
patch
B. Perform risk assessment
C. Plan patch release process
D. Complete patch acceptance
testing
Monitoring Patch Status

Subscribe to notification services



Check websites




Microsoft Security Notification Service
Third-party mailing lists
www.microsoft.com/technet/security
Product-specific pages
Third-party sites
Implement regular review and deployment
schedule



Microsoft’s patch release schedule: second Tuesday
of each month
Exception: customers are at immediate risk
Configure automated tools to check for new updates
daily
When to Apply Patches




Apply as soon as possible
Apply only after testing
Implement mitigating measures
Apply according to severity rating
Severity
Rating
Definition
Recommended Patching
Time Frame
Critical
Exploitation could allow the propagation of an
Internet worm such as Code Red or Nimda
without user action
Within 24 hours
Important
Exploitation could result in compromise of the
confidentiality, integrity, or availability of
users’ data or in the integrity or availability of
processing resources
Within 1 month
Moderate
Exploitation is serious but has been mitigated
to a significant degree by factors such as
default configuration, auditing, need for user
action, or difficulty of exploitation
Wait for next service pack or
patch rollup that includes the
patch, or deploy the patch within
4 months
Exploitation is extremely difficult, or impact is
minimal
Wait for next service pack or
patch rollup that includes the
patch, or deploy the patch within
1 year
Low
Microsoft Tools for Patch
Management
Analysis Tools
Online Update
Services
Content Repositories

Microsoft Baseline Security Analyzer (MBSA)
Office Inventory Tool
 Windows Update

Office Update
 Windows Update Catalog


Office Download Catalog
Microsoft Download Center
 Automatic Updates (AU) feature in Windows

Management Tools

Software Update Services (SUS)
Systems Management Server (SMS)
 Patch Management Using SUS

Prescriptive
Guidance

Microsoft Guide to Security Patch Management

Patch Management Using SMS
MBSA  Benefits



Automates identification of missing
security patches and security
configuration issues
Allows administrator to centrally scan a
large number of systems simultaneously
Works with a broad range of Microsoft
software (not just Windows and Office)
MBSA – How It Works
1. Run MBSA on Admin
system; specify targets
2. Downloads CAB file
with MSSecure.xml
and verifies digital
signature
Microsoft
Download Center
MSSecure.xml
3. Scans target
systems for OS, OS
components, and
applications
4. Parses MSSecure
to see if updates
are available
5. Checks if required
updates are missing
6. Generates time-stamped
report of missing updates
MBSA
Computer
MSSecure.xml contains
 Security bulletin names
 Product-specific updates
 Version and checksum info
 Registry keys changed
 KB article numbers
Automating Detection with
MBSA

MBSA Scan (GUI)


Performs well for small and medium-size networks
MBSA Scan (mbsacli.exe)

Performs automated scans using command-line
parameters


MBSA Scan in HFNetChk mode (mbsacli.exe /hf)


Performs automated scans using command-line
parameters
Checks for missing patches only


Example: mbsacli /d mydomain /f report.txt
Example: mbssacli -hf -o tab –f report.txt
MBSA and Windows Update might show different
results
Automating Patch Distribution
and Monitoring with SUS





Performs pull installations of service packs,
security rollup packages, and critical updates
Gives administrators control over software
updates
Prevents unauthorized installations when SUS
is used with Automatic Updates
Allows for staging and testing
Works only for Windows 2000 and later
Managing a Complex SUS
Environment


Centrally manage
downloading and approving
updates
Use OU structure and
GPOs to manage SUS
update distribution


Use the WUAU.ADM
template file to
configure AU client
settings
Assign GPOs to OUs
Domain
Member
SUS Test
Server
GPO
GPO
Member
Servers
SUS Test
HO GPO
HO Workstations
RO1 GPO
RO1 Workstations
RO2 GPO
RO2 Workstations
Using Management Software to
Distribute and Apply Patches

System Management Server (SMS) 2003






Gives administrators control over patch
management
Automates the patch management process
Updates a broad range of Microsoft products
Updates third-party software
Provides flexibility by using scripts
Third-Party Solutions

Integrates with third-party solutions through
scripting
Third-Party Solutions
Company Name
Product Name
Company URL
Altiris, Inc.
Altiris Patch Management
http://www.altiris.com
BigFix, Inc.
BigFix Patch Manager
http://www.bigfix.com
Configuresoft, Inc.
Security Update Manager
http://www.configuresoft.com
Ecora, Inc.
Ecora Patch Manager
http://www.ecora.com
GFI Software, Ltd.
GFI LANguard Network
Security Scanner
http://www.gfi.com
Gravity Storm Software,
LLC
Service Pack Manager 2000
http://www.securitybastion.com
LANDesk Software, Ltd
LANDesk Patch Manager
http://www.landesk.com
Novadigm, Inc.
Radia Patch Manager
http://www.novadigm.com
PatchLink Corp.
PatchLink Update
http://www.patchlink.com
Shavlik Technologies
HFNetChk Pro
http://www.shavlik.com
St. Bernard Software
UpdateExpert
http://www.stbernard.com
Patching Microsoft Office





Office Inventory Tool
Office Update
Office patches require the
original files
Office 2003 caches installation
files
Installation points patching
Best Practices for Successful
Patch Management









Use a change control process
Read all related documentation
Apply updates only as needed
Test updates thoroughly
Ensure consistency across domain controllers
Back up your system, and schedule production
downtime
Always have a rollback plan
Forewarn help desk and key user groups
Target non-critical servers first
Agenda




Introduction
Real-World Patch Management Strategies
Real-World Remote Access Strategies
Troubleshooting Security Configurations
VPNs and Firewalls

Combining a firewall with a VPN
server
RAS Server & Firewall
on Same Computer
RAS Server
Behind Firewall
RAS
Server
VPN Clients
VPN Clients
RAS Server
VPN Server Behind a Firewall


Challenge: Allow the firewall to pass
traffic to the VPN server
Challenge: Stateful inspection
Traffic
Ports and Protocols
PPTP Session Establishment TCP Port 1723
PPTP Session
IP Protocol 47 (GRE)
IPSec IKE
UDP Port 500
IPSec ESP
IP Protocol 50 (IPSec ESP)
Using ISA Server as a VPN
Server and a Firewall
ISA Server Feature
Description
Provides application-layer firewall and proxy
server
Integrated solution
Uses RRAS to provide VPN services
Provides strong authentication options
Includes choice of PPTP or L2TP/IPSec
protocols
Packet filtering
Protects the VPN server
Wizards
Allow for easy configuration to help avoid
mistakes
Challenges of Using IPSec and NAT



Packet header is modified, invalidating packets
IKE uses IP fragments
NAT devices that assume tunnel mode
NAT
NAT
Orig IP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
AH Hdr
TCP Hdr
Data
Contains an encrypted hash
of the original packet header
Solution Model

IETF draft on NAT Traversal (NAT-T)
recommends that devices on both ends
should:




Detect the presence of NAT
Use a non-IPSec port so that NAT devices do
not interfere with network traffic
Encapsulate IPSec in UDP
In addition, the Microsoft solution
prevents IP fragments
How NAT-T Works
NAT
NAT
Orig IP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
ESP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
UDP src 4500, dst 4500
ESP Hdr
Rest…
Sent by A
Orig IP Hdr
UDP src XXX, dst 4500
ESP Hdr
Rest…
Rcvd by B
Interoperability Issues

VPN client and VPN server must support
NAT-T




Issues with third-party devices
Better interoperability as time goes on
NAT devices do not need any changes
Firewall support


Allow UDP 4500 traffic
Allow UDP 500 traffic
NAT-T Status for Windows




Implemented to IETF Proposed Standard
Interoperability tested with third-party gateways for L2TP/IPSec
Intended for L2TP/IPSec in WindowsXP and earlier
Intended for all IPSec uses in Windows Server 2003
OS Version
L2TP/IPSec Support
General IPSec Transport
Mode Support
Windows Server 2003
Yes
Yes4
Windows XP
Yes1
Not recommended5
Windows 2000
Yes2
No
Windows NT 4
Yes3
No
Windows 98/Me
Yes3
No
Note 1: Windows Update or hot fix
Note 2: With hot fix
Note 3: With Web download
Note 4: Active FTP does not work
Note 5: Some PTMU reductions do not work
Enforcing Remote Access Client
Security

Problem:



Remote clients might not meet corporate security
requirements
Insecure computers on the corporate network
endanger the entire network
Solutions:





Disallow remote access
Trust users to keep remote clients secure
Create a separate network for VPN clients
Enforce security settings upon connecting
Disconnect clients that are not secure:
Network Access Quarantine Control
The Quarantine Process
Quarantine
RAS Client
Internet
RRAS Server
IAS Server
Connect
Authenticate
Authorize
Quarantine and
Other Filters
Quarantine Access
Policy Check Result
Full Access
Remove Quarantine
Agenda




Introduction
Real-World Patch Management Strategies
Real-World Remote Access Strategies
Troubleshooting Security Configurations
Resolving Security Template
Conflicts

Use Resultant Set of Policies (RSoP) tools



Active Directory management tools
Group Policy Results from the GPMC
GPResult
Troubleshooting Application
Failures


Applying security patches or security
templates might prevent applications
from working
Tools for troubleshooting application
failures





Network Monitor
File Monitor
Registry Monitor
Dependency Walker
Cipher
Troubleshooting Services and
Processes

You may need to troubleshoot services:
1.
2.

When services and processes fail to start
To confirm that all services and processes
are legitimate
Tools to troubleshoot processes:



Tlist.exe or Process Explorer
Dependency Walker
Examine DLL properties
Troubleshooting Network
Connectivity Issues


Ensure that only required ports are
open on the computers
Tools for determining port usage:



Netstat –o (on Windows XP or Windows
Server 2003)
Task Manager
Test port usage for applications and
services
Best Practices for
Troubleshooting






Use a formal change and configuration
management strategy for all security
changes
Test all security configuration changes
Use RSOP tools in planning mode
Document the normal settings
Have a rollback strategy
Troubleshoot securely
Session Summary



Real-World Patch Management Strategies
Real-World Remote Access Strategies
Troubleshooting Security Configurations
For More Information

Microsoft Security Site (all audiences)


TechNet Security Site (IT professionals)


http://www.microsoft.com/security
http://www.microsoft.com/technet/security
MSDN Security Site (developers)

http://msdn.microsoft.com/security