3-Security_W2K8_hardening

advertisement
Sinergija09 :: Akcija!!!
•
•
Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !
Kompanija Microsoft Software je u saradnji sa partnerskom firmom Network
Security Solutions rešila da pokloni svim zainteresovanim firmama učesnicama
Sinergije09, bez obzira na broj prijavljenih posetilaca konferencije, po jednu
besplatnu osnovnu procenu bezbednosti web sajta.
Prijave do 30. Novembra http://www.netsec.rs
Protecting Windows and
Web applications
Dejan Levaja, MVP [Enterprise Security]
Network Security Solutions
http://www.netsec.rs
Agenda
•
•
•
•
•
•
•
Server 2008 Security mehnizmi - podsetnik
IIS 7 security
Patching
Auditing
Scanning and Assessment
Hardening
Security Testing
Security and protection
•
•
Security improvements to the kernel
– Kernel patch protection for 64-bit editions
– Security improvements to the heap
manager
– Security improvements to the registry
– Code integrity
– Data Execution Prevention
– Address Space Layout Randomization
– Windows Resource Protection
Security improvements to Windows services
– Windows service hardening
– Session 0 isolation
– Named pipe hardening
•
•
•
•
•
Windows Integrity Mechanism
Windows Internet Explorer 7/8
– Protected mode
– Extended Validation SSL certificates
Extensible logon architecture
Cryptography Next Generation
Authentication protocol improvements
– Windows implementation of the Kerberos
protocol
– TLS/SSL cryptographic enhancements
Threats and vulnerabilities mitigation
•
•
•
•
•
•
•
Server role security configuration
Server Core installation option
User Account Control
Web Server (IIS) role
Backup and recovery
Windows Firewall with Advanced Security
Network Policy and Access Services role
– Network Policy Server
– Network Access Protection
– Routing and Remote Access
Secure configuration assessment and
management
•
•
•
•
•
•
Security auditing
Server security policy management
Security Configuration Wizard
Authorization Manager
Group Policy
Active Directory Domain Services
– Fine-grained password policies
– Auditing
Identity and access control
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Smart cards
802.1X authenticated wired and wireless
access
Backup and restore of stored user names
and passwords
Credential Security Service Provider and
single sign-on for Terminal Services logon
Previous logon information
Access control user interface
TrustedInstaller SID
Restricted SIDs checks
File system namespace modifications
Default permissions changes
Changes to tokens
Integrity levels
Icacls command-line tool
OwnerRights SID
•
•
•
•
•
BitLocker Drive Encryption
Encrypting File System
Active Directory Certificate Services
– Cryptography Next Generation
– Online Certificate Status Protocol
– Network Device Enrollment Service
– Web enrollment
– Policy settings
– Restricted enrollment agent
– Enterprise PKI snap-in
Active Directory Domain Services
Active Directory Rights Management Service
IIS 7 Security
•
Ranjivosti
–
–
–
–
•
•
•
•
•
IIS 7
Apache 2.2
IIS 6
Apache 2.0
(2006. – Sinergija09)
(2006. – Sinergija09)
(2003. – Sinergija09)
(2003. – Sinergija09)
Authentication
IP and Domain Restriction
URL Authorization
Request Filtering
Certificates
=> 2
=> 17
=> 8
=> 41
IIS 7 Security - Authentication
•
Izmene
–
–
–
–
–
–
•
IUSR_machine_name => IUSR
IUSR_machine_name postoji samo ako postoji i FTP
IUSR radi u bezbednosnom kontekstu worker procesa (network service)
IUSR nema lozinku
IUSR_WPG => IIS_IUSR
Najvažnije: IUSR i IIS_IUSR su Built-In nalozi –> svuda isti SID -> moguć XCOPY /O
Authentication
–
–
–
–
–
–
–
Anonymous
Basic
Windows
Forms
Certificates*
Digest
ASP.NET Impersonation
IIS 7 Security - IP and Domain Restriction
•
•
Ograničenje pristupa po IP adresi
Ograničenje pristupa po imenu domena (zahteva reversni DNS lookup!)
– Demo
•
Dynamic IP Restrictions Extension (beta)
– http://www.iis.net/extensions/DynamicIPRestrictions
IIS 7 Security - URL Authorization
•
NTFS vs URL autorizacija
– xcopy /o
•
Demo
– Scenario
• Isključimo Anon Auth, uključimo Basic
• kreiramo grupu
• kreiramo korisnike i dodamo ih u grupu
• obrišemo defaultni URL Authorization Rule i kreiramo novi
– Sve ovo može i iz CMD-a (appcmd.exe)!
Request Filtering – simple WAF
•
URLScan => Request Filtering
– Filter Double-Encoded Requests
• ‘\’ => %5c
– ‘% ‘=> %25
» %255c
• scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ (IIS 5.0)
– Filter High Bit Characters
– Filter Based on File Extensions
– Filter Based on Request Limits
– Filter by Verbs
– Filter Based on URL Sequences
• /../ ,
– Filter Out Hidden Segments
Certificates
•
SSL
–
–
–
–
–
•
one to many mapping
one to one mapping
AD mapping
CLR, delta CRL
Next, next, finish
Demo
Patching
•
Windows Update
– <= Vista
– OS + IE
•
Microsoft Update
– Windows Update + MS Office + Exchange + SQL + ...
– http://www.update.microsoft.com/
•
•
•
Automatic Update
Patch Tuesday ( and Exploit Wednesday  )
Microsoft Catalog
– http://catalog.update.microsoft.com
Patching
•
WSUS 3.0
–
–
–
–
Sastavni deo Servera 2008 (KB 940518)
SUS == OS; WSUS == OS + ostalo
WSUS = IIS 7+ SQL (WID) + Microsoft Update
GPO ili Registry
• GPO => Computer Configuration\Administrative Templates\Windows
Components\Windows Upddate\Specify Intranet Microsoft Update Service
Location
• Registry => KLM\Software\Policies\Microsoft\Windows\WindowsUpdate\
– reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
» /v WUServer /t REG_SZ /d http://wsus.netsec.local
» /v WUStatusServer /t REG_SZ /d http://wsus.netsec.local
Auditing
•
Auditing in Server 2008
–
–
–
–
•
4GB vs >petabyte
n*1000 evt/sec vs n*10000 evt/sec
granular audit policy (GAP)
GPO (R2), AuditPol.exe
EventViewer
– XML
•
•
eventquery.vbs wevtutil.exe
Demo: Failed logons
– wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt
Scanning
•
MBSA
–
–
–
–
–
–
–
–
Security Updates, Administrative Vulnerabilities, IIS, SQL, Desktop apps
WSUS i MBSA
GUI, cmd (mbsacli.exe)
Online, Offline
wsusscn2.cab - http://go.microsoft.com/fwlink/?LinkId=76054
Visio Connector (2003,2007)
%userprofile%\SecurityScans
Demo:
• mbsacli.exe /target 192.168.0.10 /u administrator /p P@ssw0rd
• mbsacli.exe /n SQL+IIS /catalog c:\wsusscan2.cab /nd
Assessment
•
MSAT
– MSAT is designed to help you identify and address security risks in your IT environment.
– http://technet.microsoft.com/en-us/security/cc185712.aspx
•
•
•
Preko 200 pitanja baziranih na ISO 27001
Infrastructure, Applications, Operations, People
Demo
Hardening
•
•
Windows Firewall with Advanced Security
IPSec => Server and Domain Isolation
– R2 or not R2 ?
– Demo
•
Security Configuration Wizard
– Demo
Security Testing
•
Vulnerability Assessment
– popisuje ranjivosti
– MBSA, ...
•
Penetration Testing
– dokazuje da je moguće iskoristiti pronađene ranjivosti
– browser + proxy, metasploit, ...
•
•
Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !
Prijave do 30. Novembra http://www.netsec.rs
Molimo vas da popunite ankete!
Please fill out the evaluations!
Vaše mišljenje čini osnovu
sledeće Sinergije i
omogućava nam da
oblikujemo sadržaj u skladu
sa Vašim željama.
Your opinion forms the next
Sinergija conference, and it
provides us with the means
to shape its content to best
suit you.
Svi posetioci koji popune
ankete ulaze u nagradnu
igru
All attendees that fill out the
evaluations are taking part
in drawing of special prizes
Hvala!
dejan.levaja@netsec.rs
Microsoft Community Serbia
http://www.msforge.net
Download