Windows - The Deep Technical Audit

advertisement
The Deep Technical Audit:
How to Identify and Mitigate
Risks Presented in Other Sessions
David J. Goldman
Joseph Nocera
Overview
Background
Windows Security Vulnerabilities
Dealing with Security
The Role of the Audit
Maintaining a Secure Environment
David J. Goldman
Joseph Nocera
Background
Why this conference exists
Windows Security Overview
Internal Security Management
David J. Goldman
Joseph Nocera
Windows Security Vulnerabilities
Loss of Confidentiality, Integrity,
Accessibility





Denial of Service
Enticement Information
Undesired Access
Inability to recover from breach
Inability to prosecute
David J. Goldman
Joseph Nocera
Windows Security Vulnerabilities
Areas of Concern






Unneeded Services
Incorrect System Configuration
Improper Access Control Lists
Buffer Overflows
Other Code Vulnerabilities
Known vs. Unknown
David J. Goldman
Joseph Nocera
Unneeded Services
Services





Simple TCP/IP Services
FTP, WWW, SMTP, NNTP
Telnet
Terminal Services, Other Remote Access
(pcAnywhere, ControlIT, etc)
“R” Services (rsh, rcmd, rexec, etc.)
Devices



Sniffers
NFS
Key Loggers
David J. Goldman
Joseph Nocera
Incorrect System Configuration
Service Packs/Hotfixes
Group Membership
Registry Values
Shares
User Rights
User Settings
David J. Goldman
Joseph Nocera
Improper Access Control Lists
Shares
Registry Keys
Directories
Other Securable Objects

System Resources
 Printers, Services, Tasks, etc.

Active Directory Objects
 OUs, GPOs, etc.
David J. Goldman
Joseph Nocera
Buffer Overflows
Core Operating System Components
Internet Information Server (IIS)
SQL Server
Third-Party Applications
David J. Goldman
Joseph Nocera
Other Code Vulnerabilities
Core Operating System Components
Third-Party Applications
Custom Developed Applications
Web Pages and Internet Applications
David J. Goldman
Joseph Nocera
Dealing With Security
Overall Security Architecture
Risk Assessment
Data Classification
Audit the Environment
Security Design/Implementation Plan
Monitor and Control
David J. Goldman
Joseph Nocera
The Role of the Audit
Determine Vulnerable Areas
Obtain Specific Security Information
Allow for Remediation
Check for Compliance
Ensure Ongoing Security
David J. Goldman
Joseph Nocera
Security Audit Components
The “Fab Five”





User
Resource
System
Network
Auditing, Logging, and Monitoring
David J. Goldman
Joseph Nocera
User Security
Components




User Account Properties
Account Policy
User Rights
Groups
Configuration Issues






Passwords – Complexity/Aging/Uniqueness
Disabled/Locked Accts
Wkstn Restrictions
4 Logon Types
Sensitive User Rights
Privileged Group Membership
David J. Goldman
Joseph Nocera
Resource Security
Components



File Systems
File, Folder, and Object Security
Shares
Configuration Issues



NTFS vs. FAT, EFS
DACLs/SACLs – reg, files/folders, printers, services
Shares – who needs read/change/full
David J. Goldman
Joseph Nocera
Resource Security Cont.
Critical Resources




%systemroot% (repair, config, LogFiles)
%systemroot%\*.exe
\Program Files
Inetpub, Inetsrv, IIS data directories
David J. Goldman
Joseph Nocera
System Security
Components


Registry
Services
Configuration Issues





Access Paths - Winreg/AllowedPaths
Reg Permissions - Run, RunOnce, AeDebug
Reg Values – Restrictanonymous
Crashdump/Clearpagefile, lmcompatibility
Installed Services
Service Context – System vs. User
David J. Goldman
Joseph Nocera
Network Security
Components



Domains and Trusts
Protocols
Internet Information Server (IIS)
Configuration Issues



Relationships – appropriate access
What is needed – TCP/IP, NetBIOS, NWLink
IIS – WWW, FTP, SMTP, NNTP
David J. Goldman
Joseph Nocera
Auditing, Logging, and Monitoring
Components




Audit Policies
Event Logs
Network Alerts
Performance Monitor
Configuration Issues




System Events
Files and Directories
Registry
Log Settings
David J. Goldman
Joseph Nocera
Maintaining a Secure Environment
Methodology
Tools
Implementation Scripts
David J. Goldman
Joseph Nocera
Security Methodologies
Assess
Design
Implement
Operate/Maintain
David J. Goldman
Joseph Nocera
Tools
Assessment



Security Configuration Manager
DumpSec and DumpReg
Custom scripts (Visual Basic Scripting)
Implemenetation



Security Configuration Manager
Resource Kit Utilities
Custom Scripts
 VB Script, Command Shell, other scripting languages
David J. Goldman
Joseph Nocera
Scripts and Examples
DEMO
David J. Goldman
Joseph Nocera
Conclusion
Holistic Approach to Security
Detailed plan
Ongoing Process
David Goldman: 646-471-5682

david.goldman@us.pwcglobal.com
Joseph Nocera: 312-298-2745

joseph.nocera@us.pwcglobal.com
David J. Goldman
Joseph Nocera
Download