The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera Overview Background Windows Security Vulnerabilities Dealing with Security The Role of the Audit Maintaining a Secure Environment David J. Goldman Joseph Nocera Background Why this conference exists Windows Security Overview Internal Security Management David J. Goldman Joseph Nocera Windows Security Vulnerabilities Loss of Confidentiality, Integrity, Accessibility Denial of Service Enticement Information Undesired Access Inability to recover from breach Inability to prosecute David J. Goldman Joseph Nocera Windows Security Vulnerabilities Areas of Concern Unneeded Services Incorrect System Configuration Improper Access Control Lists Buffer Overflows Other Code Vulnerabilities Known vs. Unknown David J. Goldman Joseph Nocera Unneeded Services Services Simple TCP/IP Services FTP, WWW, SMTP, NNTP Telnet Terminal Services, Other Remote Access (pcAnywhere, ControlIT, etc) “R” Services (rsh, rcmd, rexec, etc.) Devices Sniffers NFS Key Loggers David J. Goldman Joseph Nocera Incorrect System Configuration Service Packs/Hotfixes Group Membership Registry Values Shares User Rights User Settings David J. Goldman Joseph Nocera Improper Access Control Lists Shares Registry Keys Directories Other Securable Objects System Resources Printers, Services, Tasks, etc. Active Directory Objects OUs, GPOs, etc. David J. Goldman Joseph Nocera Buffer Overflows Core Operating System Components Internet Information Server (IIS) SQL Server Third-Party Applications David J. Goldman Joseph Nocera Other Code Vulnerabilities Core Operating System Components Third-Party Applications Custom Developed Applications Web Pages and Internet Applications David J. Goldman Joseph Nocera Dealing With Security Overall Security Architecture Risk Assessment Data Classification Audit the Environment Security Design/Implementation Plan Monitor and Control David J. Goldman Joseph Nocera The Role of the Audit Determine Vulnerable Areas Obtain Specific Security Information Allow for Remediation Check for Compliance Ensure Ongoing Security David J. Goldman Joseph Nocera Security Audit Components The “Fab Five” User Resource System Network Auditing, Logging, and Monitoring David J. Goldman Joseph Nocera User Security Components User Account Properties Account Policy User Rights Groups Configuration Issues Passwords – Complexity/Aging/Uniqueness Disabled/Locked Accts Wkstn Restrictions 4 Logon Types Sensitive User Rights Privileged Group Membership David J. Goldman Joseph Nocera Resource Security Components File Systems File, Folder, and Object Security Shares Configuration Issues NTFS vs. FAT, EFS DACLs/SACLs – reg, files/folders, printers, services Shares – who needs read/change/full David J. Goldman Joseph Nocera Resource Security Cont. Critical Resources %systemroot% (repair, config, LogFiles) %systemroot%\*.exe \Program Files Inetpub, Inetsrv, IIS data directories David J. Goldman Joseph Nocera System Security Components Registry Services Configuration Issues Access Paths - Winreg/AllowedPaths Reg Permissions - Run, RunOnce, AeDebug Reg Values – Restrictanonymous Crashdump/Clearpagefile, lmcompatibility Installed Services Service Context – System vs. User David J. Goldman Joseph Nocera Network Security Components Domains and Trusts Protocols Internet Information Server (IIS) Configuration Issues Relationships – appropriate access What is needed – TCP/IP, NetBIOS, NWLink IIS – WWW, FTP, SMTP, NNTP David J. Goldman Joseph Nocera Auditing, Logging, and Monitoring Components Audit Policies Event Logs Network Alerts Performance Monitor Configuration Issues System Events Files and Directories Registry Log Settings David J. Goldman Joseph Nocera Maintaining a Secure Environment Methodology Tools Implementation Scripts David J. Goldman Joseph Nocera Security Methodologies Assess Design Implement Operate/Maintain David J. Goldman Joseph Nocera Tools Assessment Security Configuration Manager DumpSec and DumpReg Custom scripts (Visual Basic Scripting) Implemenetation Security Configuration Manager Resource Kit Utilities Custom Scripts VB Script, Command Shell, other scripting languages David J. Goldman Joseph Nocera Scripts and Examples DEMO David J. Goldman Joseph Nocera Conclusion Holistic Approach to Security Detailed plan Ongoing Process David Goldman: 646-471-5682 david.goldman@us.pwcglobal.com Joseph Nocera: 312-298-2745 joseph.nocera@us.pwcglobal.com David J. Goldman Joseph Nocera