1 / 24

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions. David J. Goldman Joseph Nocera. Overview. Background Windows Security Vulnerabilities Dealing with Security The Role of the Audit Maintaining a Secure Environment. Background.

alexandria
Download Presentation

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Deep Technical Audit:How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera

  2. Overview • Background • Windows Security Vulnerabilities • Dealing with Security • The Role of the Audit • Maintaining a Secure Environment

  3. Background • Why this conference exists • Windows Security Overview • Internal Security Management

  4. Windows Security Vulnerabilities • Loss of Confidentiality, Integrity, Accessibility • Denial of Service • Enticement Information • Undesired Access • Inability to recover from breach • Inability to prosecute

  5. Windows Security Vulnerabilities • Areas of Concern • Unneeded Services • Incorrect System Configuration • Improper Access Control Lists • Buffer Overflows • Other Code Vulnerabilities • Known vs. Unknown

  6. Unneeded Services • Services • Simple TCP/IP Services • FTP, WWW, SMTP, NNTP • Telnet • Terminal Services, Other Remote Access (pcAnywhere, ControlIT, etc) • “R” Services (rsh, rcmd, rexec, etc.) • Devices • Sniffers • NFS • Key Loggers

  7. Incorrect System Configuration • Service Packs/Hotfixes • Group Membership • Registry Values • Shares • User Rights • User Settings

  8. Improper Access Control Lists • Shares • Registry Keys • Directories • Other Securable Objects • System Resources • Printers, Services, Tasks, etc. • Active Directory Objects • OUs, GPOs, etc.

  9. Buffer Overflows • Core Operating System Components • Internet Information Server (IIS) • SQL Server • Third-Party Applications

  10. Other Code Vulnerabilities • Core Operating System Components • Third-Party Applications • Custom Developed Applications • Web Pages and Internet Applications

  11. Dealing With Security • Overall Security Architecture • Risk Assessment • Data Classification • Audit the Environment • Security Design/Implementation Plan • Monitor and Control

  12. The Role of the Audit • Determine Vulnerable Areas • Obtain Specific Security Information • Allow for Remediation • Check for Compliance • Ensure Ongoing Security

  13. Security Audit Components • The “Fab Five” • User • Resource • System • Network • Auditing, Logging, and Monitoring

  14. User Security • Components • User Account Properties • Account Policy • User Rights • Groups • Configuration Issues • Passwords – Complexity/Aging/Uniqueness • Disabled/Locked Accts • Wkstn Restrictions • 4 Logon Types • Sensitive User Rights • Privileged Group Membership

  15. Resource Security • Components • File Systems • File, Folder, and Object Security • Shares • Configuration Issues • NTFS vs. FAT, EFS • DACLs/SACLs – reg, files/folders, printers, services • Shares – who needs read/change/full

  16. Resource Security Cont. • Critical Resources • %systemroot% (repair, config, LogFiles) • %systemroot%\*.exe • \Program Files • Inetpub, Inetsrv, IIS data directories

  17. System Security • Components • Registry • Services • Configuration Issues • Access Paths - Winreg/AllowedPaths • Reg Permissions - Run, RunOnce, AeDebug • Reg Values – Restrictanonymous Crashdump/Clearpagefile, lmcompatibility • Installed Services • Service Context – System vs. User

  18. Network Security • Components • Domains and Trusts • Protocols • Internet Information Server (IIS) • Configuration Issues • Relationships – appropriate access • What is needed – TCP/IP, NetBIOS, NWLink • IIS – WWW, FTP, SMTP, NNTP

  19. Auditing, Logging, and Monitoring • Components • Audit Policies • Event Logs • Network Alerts • Performance Monitor • Configuration Issues • System Events • Files and Directories • Registry • Log Settings

  20. Maintaining a Secure Environment • Methodology • Tools • Implementation Scripts

  21. Security Methodologies • Assess • Design • Implement • Operate/Maintain

  22. Tools • Assessment • Security Configuration Manager • DumpSec and DumpReg • Custom scripts (Visual Basic Scripting) • Implemenetation • Security Configuration Manager • Resource Kit Utilities • Custom Scripts • VB Script, Command Shell, other scripting languages

  23. Scripts and Examples DEMO

  24. Conclusion • Holistic Approach to Security • Detailed plan • Ongoing Process • David Goldman: 646-471-5682 • david.goldman@us.pwcglobal.com • Joseph Nocera: 312-298-2745 • joseph.nocera@us.pwcglobal.com

More Related