Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

12 Tips to Secure Your Windows Systems, Revisted: How

Tomasz Zukowski
Inobits Consulting
Session Code: WSV301
Question:
How many of you do security at your
company?
Question:
How many of you ASKED to do security
at your company?
What's This Talk All About?
Several things
Review the fundamentals, but with a fresh "2009
perspective"
A chance to help you in the ongoing battle to
convince our users that security matters
If you've made the choice to use Win 6 or 7, I want
you to know where to go to get the most out of
that investment security-wise
Why Security Matters
Protecting company assets, of course
But the Internet adds a new dynamic
Computers are “levers” when it comes to data;
when things are good, they’re very good, and
when they’re bad, they’re very bad – and get
worse quickly!
There are also the matters of public security,
which is another very good reason to care
Twelve Tips
You are a risk manager
Write a security policy
Passwords
Authenticate right
Stomp Administrator
Auditing and logs
Nail the services… or the
developers
Physical security
Have A DR Plan
Upgrade the carbon units
Stay informed
Patch!
Risk Analysis
Security’s a Tradeoff…
… like everything else in business
You cannot make your system completely
secure
We accept and absorb risks all the time
Security Has A Price
IT’s job versus security’s job
Many “hardening” techniques will cause
software to break
Write a Security Policy
one on paper, that is
We’re talking here about protecting the organization
from destruction, so…
This only works if management’s on board
Must have a written security policy
Must have a few items that, well, could cause termination
If not, then relax!; you’re going to get hacked, probably
by an insider, but there’s nothing you can do about it,
so don’t work late
Good sample policies at
http://www.sans.org/resources/policies/
Practical Talk About Passwords
“Bad passwords always beat good security”
Passwords – the stakes
Passwords are it for most of us in terms of
identifying ourselves to the network
Bad guys just need one account, not all of them
Passwords are a carbon-based issue, not a
silicon-based issue
Again, get the users on board, or it's likely that
no password technology will ever work
Passwords – the modern facts
Passwords are attacked in several ways
Shoulder surfing
Post-Its
They’re yelled across a room
Someone steals your password “hashes” and cracks
them
Someone tries repeatedly to log on with different
passwords
Note that only the last two are technological
A Bit of Technicals on Passwords
Computers don't store your password; they
convert it to a 128 bit "hash" and store that
"Open Sesame"
Any of many mathematical processes
called a "hash function"
0F725ACD85C6390EE6F218C7D382C552
This is essentially your real password – if bad guys get it, they can (1) attempt to reverse it
to get your password (difficult) or just directly use the hash to impersonate you (easy)
How Bad Guys Get Your Hash
Physical access to your system
Guessing it
But that means trying 2128 possibilities, which is still
computationally unlikely – at a million/second, it'd
take 1025 years, and even Moore's Law won't crack
that for a while
Guessing it with a hint… now, that might be
possible!
Hint Sources
Structural limitations on passwords
The 1980's "LAN Manager" software limited the
possible number of hashes so that checking all
possible hashes can be done in a few days on a
modern system rather than a zillion years… so LM
hashes must go
Hashes come from human-chosen passwords and
humans tend not to create passwords like
"6$^^hH-()()()()(7Ghala"
Worse yet, many people restrict themselves to
personal info or English words
This is how the bad guys get passwords!
Protecting Your Passwords
Get your users to create useful, non-trivial passwords
Mandate a minimum password length of at least 8
characters, consider 12… 7 or under is bad under all
circumstances for several reasons
Avoid complex passwords
Train users to avoid simple English words
Get rid of LM now. Really… now.
Group policies will do it
Most systems will not have a compatibility problem, but
check NASes and network-attached printers
Win 6/7 and LM
After telling us to rid our networks of LMrelated stuff for ten years, Microsoft took
a big step…
… Vista, Server 2008, Win 7 and Server 2008 R2
have no support for LAN Man hashes or
authentication at all
You couldn't create an LM hash with Vista if you
wanted to!
The Dumbest Passwords
I've got to stress this…
In the early 21st Century, these kind of
passwords can be almost always cracked in
under three minutes:
A name associated with you or your organization
A date associated with you or your organization
A dictionary word
BTW, just adding a number or a capital adds no
more than a few minutes to the time
People with these passwords must, sadly, be
sterilized
12 Characters? Are You Crazy?
I advocate 12 character minimum password
length… more length makes up for a "no
complexity" requirement
Only requires a bit of user education on the
"passphrase”
12 lowercase letters = 95,428,956,661,682,176
possibilities
Try a million a second, it’ll take 300 centuries
The Ultimate Password
Remember why English word passwords are
childishly simple to crack?
They weren't 12 years ago
As Moore's Law strides on, one day any eightcharacter password, no matter how obscure,
will be crackable in an hour or so
And then what do we do?
Answer: PKI… so put that on your "things to
figure out in the next couple of years" list
WS08 R2 Authentication Mechanism Assurance
Watch Your Authentication Protocols
Why They Matter
When you log on, your system decides underthe-hood how to authenticate with a domain
controller – either
LM
NTLM
NTLM v2
Kerberos
Even in an AD world, the top three get used…
and you really want to avoid that
What? Not Use Kerberos?
Even in an AD-centric network, you may not
get Kerberos
NET USE to an IP address
Connect to a workgroup system on Windows of any version
Connect to a pre-2000 system
Failover from a busy DC
Badly-written apps (any apps older than 7 years?)
Intranet site not added to "local intranet" zone
Nowadays we really want to de-NTLM our networks as
much as possible
Kerberos Logon vs NTLM Logon
How you know you're NTLM-ing:
Can't join machines to domains
Don't get group policies
Netmon traces show NTLM, not Kerberos traffic
Tracking this stuff down by hand is a pain, so
Windows 7/Server 2008 R2 offer some new
group policies
NTLM Restriction Policies
Essentially these new policies let you first track
and then block NTLM logons
There are basically three policies, each with an
"audit" and a "block" option:
Incoming NTLM traffic (server tracking)
Outgoing NTLM traffic (client tracking)
Domain traffic (DC tracking)
Create new logs of source "NTLM," numbers
8001, 8002, 8003, 8004
Handling Admin Accounts and
Eliminating "Administrator"
Creating Good Admin Passwords
without having to stress the users
Having someone crack one of our
(administrator) passwords would be bad
One answer: set up different password policies
for members of the Domain Administrators
group from the policy for non-admins
Possible in 2008 and 2008 R2 with "password
settings objects"
Needs 2008 DFL, good tool to utilize it at
www.joeware.net (PSOMgr)
PSOMgr.exe
Stomping Administrator
the account, that is
Local “Administrator” account is unaccountable
Rename it
Prohibit insiders from using it also
(Otherwise, auditing is pointless)
Give people’s accounts the admin privileges that they
need … no more
Then assume that people using Administrator have no
good in mind – make using it a firing offense!
No real need for Administrator acct any more
Stomping Administrator
Randomize the admin password
net user administrator /domain /random>nul
It doesn’t hurt to rename the account in any
case
If using 2003 or 2008, you can
create a smart card for the Administrator account
force the Administrator account to only be able to
log on with the card – ctrl-alt-del won’t work
lock up the card and disperse the PIN
Don’t Spend All Day As Admin
Tempting to be logged in all day as an
administrator
Workaround: runas command, although
truthfully it's a pain
Works best when shift-right-clicking a menu
item
But there's a better way…
What About UAC?
In a sense, it's a "reverse Run As"
You log in as an administrator, but automatically
get two identities, and a reminder whenever
you use the powerful one
People find it annoying… but I really
recommend that you keep it in place
In silent mode, it essentially automates the
"two account switch" trick
Once you understand UAC, it can be very useful,
so give it a second look
Audit Your Network
Windows Auditing
It's been around forever, but isn't always used
Why use it?
After-the-fact forensics
Helpful in compliance situations (HIPAA, SOX)
Treat logs policy-wise the way you treat money
accounting records
Biggest pain is collecting and archiving the
Security logs, as there's one on every
workstation and server
Auditing and Logs
what modern Windows offers
Fine-tune who you're auditing with auditusr,
which first appeared in XP SP2 and 2003 SP1/R2
In Vista and later, it's called "auditpol" and has
different syntax
Easily centralize logs with Windows 6 and 7's
ability to centralize events to a single system –
"event log subscriptions”
Auditing And Logs
some fairly big news in Windows auditing in Win 7/R2
More auditable stuff: 9 categories in Vista…
… 54 in Windows 7/R2
To see this, look in Group Policies / Windows
Settings / Security Settings; the old "Local Policies /
Audit Policy" is there, but there's also now an
"Advanced Audit Policy Configuration" folder
"Global SACL" or "Global object access auditing"
completely changes object auditing
Use either group policies or auditpol to enable
"Reason for access" reporting
Securing Services
Securing Services
Whenever there's a headline-grabbing security
attack, there's a compromised service behind it
There have traditionally been three things you
can do to reduce services' vulnerabilities
Disable the unnecessary ones
Minimize the remaining ones' privileges
Minimize the remaining ones' permissions
XP SP2 started a trend that way, but you may be
surprised at what Windows 6 did to shore up
services' security
Services, Phase One
disable unnecessary ones
Much less necessary with Vista/2008
Messenger, clipbook, alerter services gone
Other services are isolated in a separate
Terminal Services session and so cannot interact
with the desktop
(Only bad part – causes some pre-Vista print
drivers to fail)
Services, Phase 2
de-fang the services that you leave running
Services run not as you, but as some account –
probably System, which is all-powerful
Thus, any damage that they can do is limited by
the permissions on that account
Unfortunately that’s usually System
Vista/2008 includes a built-in feature that
reduces much of System's power
Services, Phase 2
finding out if your devs have been lazy
The problem is that not every developer
exploits it
Way to find out: open an elevated command
prompt and type sc qprivs servicename
If you don't get a list of privileges, that service
has not been secured – so yell at the developer!
Services, Phase 3
reducing their power with service isolation
"System" has all-encompassing file permissions
Vista/2008 take it a step further with "service isolation"
Basically it's an isolated service is one whose developer
has very finely determined which files/folders/etc a
given service, and used a new Vista/2008 feature to
explicitly lock it out of everything else
Test: "sc qsidtype servicename" – you want to see
"SERVICE_SID_TYPE: RESTRICTED"
If not… whack the developers!
(Hey, if you've got Win 6/7, you've already paid for this!)
Managed Service Accounts
Background: what problem does this solve?
Services must run under an account, and
LocalSystem/LocalService/NetworkService can't
always do the job
IIS, Exchange, SQL are some common examples
In that case, techies need to create accounts to act as
service accounts
That works fine, except for the issue of passwords:
they need regular changing or services stop working
Managed Service Accounts
Answer: managed service accounts
New class of accounts
Sorta user accounts, sorta machine accounts
(new icon)
You:
Create one on the domain
"Install" it on the member server
Configure the service so that it logs on as that account, and
from there password updates etc are automatic
Need one account / member
Managed Service Accounts
Password details
240-character passwords created
Ignore group policies about passwords and
ignore fine-grained password policies
Automatically handle password changes
every 30 days
Managed Service Accounts
Requirements/details
Requires at least one 2008 R2 DC
(which means a 2008 R2 schema on the forest)
Requires AD Powershell (and therefore AD Web
Service) to create accounts
Live in their own new folder (not an OU) called
"Managed Service Accounts"
Servers hosting services that use the accounts
must be R2/Win 7
Physical Security
Physical Security
The idea is "if I can touch it, I can hurt it"
The top item on many people's security lists…
but not always a practical one to accomplish
Servers are often protected…
… but what about in branch offices?
And how can we (realistically) secure
workstations – particularly laptops?
And beyond workstations, what about the
other things that carry copies of our data?
Physical Security
using Windows 6 and 7: three technologies
Device installation group policies: "no
removable devices allowed on this system"
BitLocker: encrypts drives, securing
laptops
branch office servers
BitLocker To Go: encrypts removable devices
like USB sticks
Includes group policies that say, "don't let the user
save data onto a USB stick unless the stick's been
encrypted"
Physical Security and RODCs
protecting your Active Directory
In branch offices with questionable physical
security, consider 2008-based "read only
domain controllers" or RODCs
By default, RODCs contain copies of the AD…
… but no passwords
Thus, it's no good if the WAN link's down, but if
stolen, it's got nothing we care about
Physical Security and RODCs
why's it good?
RODCs let you "loosen" security a bit
You can put as many or as few passwords onto
an RODC as you like
And if the RODC is stolen, just three clicks resets
the passwords and deletes the RODC's domain
membership
Combine it with Bitlocker and you're better
protected
Disaster Recovery / Business Continuity
Have A Disaster Plan
the problem
Every organization needs DR and BC plans
"What if we're hacked?"
"What if there's a fire?"
"What if the water tower on the roof leaks and we
have a flood on the top floor, where the servers
are?"
DR plans can be a pain; here's a few thoughts
Have A Plan
have simple (but explicit) plans
After the attack/disaster, the question’s the
same: where are the backups? How do I
restore them? How do I rebuild a DHCP server?
These should be step by step plans
These must be tested beforehand
This is not a small job, but it’s necessary and
even constitutes training materials for new hires
Make DR a Bit Easier w/2008
DR plans are a good idea…but can be so hard to do
Answer: some sort of image backup/"bare metal
restore" tool
Many of the big vendors have them
But 2008 includes one: CompletePC backup
Upgrade the Carbon Units
no technology can protect us from attachments
Kournikova worked because users didn’t know
better and because we “protect” them from
extensions
The weasels only win when users invite them in
Don’t yell, but…user training is the answer
Just 15 minutes of basics about mail and
attachments goes a long way
Stay Informed and Stay Paranoid
www.microsoft.com/security for patches etc.
www.sans.org
www.securityfocus.com
the security pages from whatever apps you rely
upon
Simplify Patching
If "physical" is #1 on many lists, this is probably
#2 or #3
WSUS, of course
But don't forget your other technologies
And then there's patching images
If, however, you're using the free Windows (6
and 7) deployment tools from Microsoft,
patching WIM imaging technology is easier than
just about any tech around (and, again, it's free)
Related Content
WCL308:
SIA310:
SIA202:
SIA201:
SIA302:
SIA206:
Deploying Windows 7 BitLocker in the Enterprise
Cybercrime: A Journey to the Dark Side
Developing a Security Awareness Strategy
Windows 7 Security Overview
Security Management - Integrated Enterprise Security
Microsoft Security Intelligence Report
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
10 pairs of MP3
sunglasses to be won
Complete a session
evaluation and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related documents
windowsAuthentication
windowsAuthentication
Homework 3 Solutions
Homework 3 Solutions
Technology does not end harassment
Technology does not end harassment
Password-Based Football
Password-Based Football
password - Department of Computer Science
password - Department of Computer Science
Download