Sinergija09 :: Akcija!!! • • Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom firmom Network Security Solutions rešila da pokloni svim zainteresovanim firmama učesnicama Sinergije09, bez obzira na broj prijavljenih posetilaca konferencije, po jednu besplatnu osnovnu procenu bezbednosti web sajta. Prijave do 30. Novembra http://www.netsec.rs Protecting Windows and Web applications Dejan Levaja, MVP [Enterprise Security] Network Security Solutions http://www.netsec.rs Agenda • • • • • • • Server 2008 Security mehnizmi - podsetnik IIS 7 security Patching Auditing Scanning and Assessment Hardening Security Testing Security and protection • • Security improvements to the kernel – Kernel patch protection for 64-bit editions – Security improvements to the heap manager – Security improvements to the registry – Code integrity – Data Execution Prevention – Address Space Layout Randomization – Windows Resource Protection Security improvements to Windows services – Windows service hardening – Session 0 isolation – Named pipe hardening • • • • • Windows Integrity Mechanism Windows Internet Explorer 7/8 – Protected mode – Extended Validation SSL certificates Extensible logon architecture Cryptography Next Generation Authentication protocol improvements – Windows implementation of the Kerberos protocol – TLS/SSL cryptographic enhancements Threats and vulnerabilities mitigation • • • • • • • Server role security configuration Server Core installation option User Account Control Web Server (IIS) role Backup and recovery Windows Firewall with Advanced Security Network Policy and Access Services role – Network Policy Server – Network Access Protection – Routing and Remote Access Secure configuration assessment and management • • • • • • Security auditing Server security policy management Security Configuration Wizard Authorization Manager Group Policy Active Directory Domain Services – Fine-grained password policies – Auditing Identity and access control • • • • • • • • • • • • • • Smart cards 802.1X authenticated wired and wireless access Backup and restore of stored user names and passwords Credential Security Service Provider and single sign-on for Terminal Services logon Previous logon information Access control user interface TrustedInstaller SID Restricted SIDs checks File system namespace modifications Default permissions changes Changes to tokens Integrity levels Icacls command-line tool OwnerRights SID • • • • • BitLocker Drive Encryption Encrypting File System Active Directory Certificate Services – Cryptography Next Generation – Online Certificate Status Protocol – Network Device Enrollment Service – Web enrollment – Policy settings – Restricted enrollment agent – Enterprise PKI snap-in Active Directory Domain Services Active Directory Rights Management Service IIS 7 Security • Ranjivosti – – – – • • • • • IIS 7 Apache 2.2 IIS 6 Apache 2.0 (2006. – Sinergija09) (2006. – Sinergija09) (2003. – Sinergija09) (2003. – Sinergija09) Authentication IP and Domain Restriction URL Authorization Request Filtering Certificates => 2 => 17 => 8 => 41 IIS 7 Security - Authentication • Izmene – – – – – – • IUSR_machine_name => IUSR IUSR_machine_name postoji samo ako postoji i FTP IUSR radi u bezbednosnom kontekstu worker procesa (network service) IUSR nema lozinku IUSR_WPG => IIS_IUSR Najvažnije: IUSR i IIS_IUSR su Built-In nalozi –> svuda isti SID -> moguć XCOPY /O Authentication – – – – – – – Anonymous Basic Windows Forms Certificates* Digest ASP.NET Impersonation IIS 7 Security - IP and Domain Restriction • • Ograničenje pristupa po IP adresi Ograničenje pristupa po imenu domena (zahteva reversni DNS lookup!) – Demo • Dynamic IP Restrictions Extension (beta) – http://www.iis.net/extensions/DynamicIPRestrictions IIS 7 Security - URL Authorization • NTFS vs URL autorizacija – xcopy /o • Demo – Scenario • Isključimo Anon Auth, uključimo Basic • kreiramo grupu • kreiramo korisnike i dodamo ih u grupu • obrišemo defaultni URL Authorization Rule i kreiramo novi – Sve ovo može i iz CMD-a (appcmd.exe)! Request Filtering – simple WAF • URLScan => Request Filtering – Filter Double-Encoded Requests • ‘\’ => %5c – ‘% ‘=> %25 » %255c • scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ (IIS 5.0) – Filter High Bit Characters – Filter Based on File Extensions – Filter Based on Request Limits – Filter by Verbs – Filter Based on URL Sequences • /../ , – Filter Out Hidden Segments Certificates • SSL – – – – – • one to many mapping one to one mapping AD mapping CLR, delta CRL Next, next, finish Demo Patching • Windows Update – <= Vista – OS + IE • Microsoft Update – Windows Update + MS Office + Exchange + SQL + ... – http://www.update.microsoft.com/ • • • Automatic Update Patch Tuesday ( and Exploit Wednesday ) Microsoft Catalog – http://catalog.update.microsoft.com Patching • WSUS 3.0 – – – – Sastavni deo Servera 2008 (KB 940518) SUS == OS; WSUS == OS + ostalo WSUS = IIS 7+ SQL (WID) + Microsoft Update GPO ili Registry • GPO => Computer Configuration\Administrative Templates\Windows Components\Windows Upddate\Specify Intranet Microsoft Update Service Location • Registry => KLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ – reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate » /v WUServer /t REG_SZ /d http://wsus.netsec.local » /v WUStatusServer /t REG_SZ /d http://wsus.netsec.local Auditing • Auditing in Server 2008 – – – – • 4GB vs >petabyte n*1000 evt/sec vs n*10000 evt/sec granular audit policy (GAP) GPO (R2), AuditPol.exe EventViewer – XML • • eventquery.vbs wevtutil.exe Demo: Failed logons – wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt Scanning • MBSA – – – – – – – – Security Updates, Administrative Vulnerabilities, IIS, SQL, Desktop apps WSUS i MBSA GUI, cmd (mbsacli.exe) Online, Offline wsusscn2.cab - http://go.microsoft.com/fwlink/?LinkId=76054 Visio Connector (2003,2007) %userprofile%\SecurityScans Demo: • mbsacli.exe /target 192.168.0.10 /u administrator /p P@ssw0rd • mbsacli.exe /n SQL+IIS /catalog c:\wsusscan2.cab /nd Assessment • MSAT – MSAT is designed to help you identify and address security risks in your IT environment. – http://technet.microsoft.com/en-us/security/cc185712.aspx • • • Preko 200 pitanja baziranih na ISO 27001 Infrastructure, Applications, Operations, People Demo Hardening • • Windows Firewall with Advanced Security IPSec => Server and Domain Isolation – R2 or not R2 ? – Demo • Security Configuration Wizard – Demo Security Testing • Vulnerability Assessment – popisuje ranjivosti – MBSA, ... • Penetration Testing – dokazuje da je moguće iskoristiti pronađene ranjivosti – browser + proxy, metasploit, ... • • Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Prijave do 30. Novembra http://www.netsec.rs Molimo vas da popunite ankete! Please fill out the evaluations! Vaše mišljenje čini osnovu sledeće Sinergije i omogućava nam da oblikujemo sadržaj u skladu sa Vašim željama. Your opinion forms the next Sinergija conference, and it provides us with the means to shape its content to best suit you. Svi posetioci koji popune ankete ulaze u nagradnu igru All attendees that fill out the evaluations are taking part in drawing of special prizes Hvala! dejan.levaja@netsec.rs Microsoft Community Serbia http://www.msforge.net