1 / 44

Advanced Servers and Clients Security

Advanced Servers and Clients Security. Prinya Hom-anek , CISSP, CISA, SANS GIAC GCFW, (ISC) 2 Asian Advisory Board ACIS Professional Center. Revision 1.1. Prinya Hom-anek CISSP, CISA, SANS GIAC GCFW, (ISC) 2 Asian Advisory Board,. (ISC) 2 Asian Advisory Board

charde-lynn
Download Presentation

Advanced Servers and Clients Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Servers and Clients Security Prinya Hom-anek , CISSP, CISA, SANS GIAC GCFW, (ISC)2 Asian Advisory BoardACIS Professional Center Revision 1.1

  2. Prinya Hom-anek CISSP, CISA, SANS GIAC GCFW, (ISC)2 Asian Advisory Board, (ISC)2 Asian Advisory Board Revenue Department Consultant Member of Electronic Transaction Commission NECTEC and Software Park Consultant Ministry of ICT, Cyber Inspector Committee Head of Information Security APEC Thailand 2003 National Intelligence Agency, Information Security Consultant Lecturer at Faculty of Engineering, Chulalongkorn University Lecturer at College of Innovative Education, Thammasat University Ministry of Justice, Department of Special Investigation, Cyber Security Specialist President and Founder, ACIS professional Center Prinya Hom-anek CISSP, CISA, SANS GIAC GCFW, (ISC)2 Asian Advisory Board Check Point CCSA 2000, Cisco CCNA ,Microsoft MCSE and MCDBA ACIS Professional Center Co., Ltd.

  3. Topics • Information Security Trend from Gartner • Securing Active Directory • Implementing Advanced Security for Servers • Implementing Advanced Security for Clients

  4. Information Security Trend from Gartner Revision 1.1

  5. Security-Related Technology Remains Top Technology Priority Ranking 2004 2003 2002  - 1 - * Developing efficient/flexible infrastructure  2 - - * Managing efficient/flexible infrastructure 3 1 1  Security enhancement tools  4 - - * Maintaining a standard desktop  5 - - * IT performance management 6 - - * Improving the TCO of IT assets 7 2 3 Application integration 8 12 10 IT-enabled interbusiness processes 4 5 9 Network management 10 13 14 Business intelligence applications Top-10 Technology Priorities, 2004 * New question for 2004 Source: Gartner’s EXP Premier Report: Preparing for the Upswing: The 2004 CIO Agenda, March 2004   Selected change in ranking compared with 2003

  6. Security and Privacy Remain Top Trends Ranking 2003 2004 2002  2 Security breaches/business disruptions 1 - 2 1 1 Operating costs/budgets   3 10 4 Data protection and privacy  4 - - * Need for revenue growth  5 - - * Use of information in products/services 6 - - * Economic recovery 7 3 5 Business trends — faster innovation 8 5 3 Single view of the customer 9 7 - Greater transparency in reporting 10 4 - Enterprise risk management Top-10 Business Trends, 2004 * New question for 2004 Source: Gartner’s EXP Premier Report: Preparing for the Upswing: The 2004 CIO Agenda March 2004   Selected change in ranking compared with 2003

  7. Bill Gates: 'Security Off Top 5 List in 2 Years …' “I think within the next two years [security] will get off the top five list [of concerns] … it’s probably two years until all the issues around easy quarantine, and everybody being educated and having all the really great auditing tools out there. ...” Gartner Symposium/Itxpo, 29 March 2004, San Diego, California

  8. Cyberthreat Hype Cycle Visibility “Phishing” Spam Spyware Peer-to-Peer Exploits Wireless and Mobile Device Attacks Social Engineering Denial of Service DNS Attacks Viruses Cyberterrorism Identity Theft Xeno-Threats Hybrid Worms Zero-Day Threats War Chalking As of January 2004 TechnologyTrigger Peak of Inflated Hyperbole Trough ofIrrelevance Slope ofEnlightenment Plateau ofPermanent Annoyance Maturity

  9. Information Security Hype Cycle Visibility Key: Time to Plateau Less than two years Two to five years Five to 10 years More than 10 years Obsolete before Plateau Instant Messaging Security Deep Packet Inspection Firewalls Spam Filtering Patch Management All-in-One Security Appliances Secure Sockets Layer VPNs Personal Intrusion Prevention Web Services Security Standards Vulnerability Management Hardware Tokens Federated Identity Security Smart Cards Scan and Block Biometrics Secure Sockets Layer/Trusted Link Security Reduced Sign-On Trusted Computing Group Managed Security Service Providers Identity Management Security Platforms Public Key Operations/ Soft Tokens Data-at-Rest Encryption Appliances Intrusion Detection Systems WPA Security Digital Rights Management (enterprise) Compliance Tools As of June 2004 Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Technology Trigger Maturity Acronym Key VPN virtual private network WPA Wi-Fi Protected Access

  10. Securing Active Directory Revision 1.1

  11. Importance of Active Directory Security Active Directory creates a more secure network environment by requiring: • Verification of every user’s identity • Authorization to grant or to deny access to a resource A breach in Active Directory security may result in: • The loss of legitimate access to network resources • Inappropriate disclosure or loss of sensitive information

  12. Identifying Types of Security Threats

  13. Establishing Secure Boundaries Autonomy • Can be achieved by delegating service or data administration Isolation • Requires that a separate forest be deployed

  14. How to Select an Active Directory Structure Steps: Start with a single domain forest 1 For each business unit with unique administrative requirements, determine the appropriate level of autonomy and isolation 2 Note whether the requirement pertains to delegation of service management, data management, or both 3 Determine the appropriate Active Directory Structure 4 • Single-domain forest with OUs for data autonomy • Single forest with multiple domains for domain-level service autonomy • Separate forests for service isolation • Separate forests for forest-level service autonomy • Separate forests for data isolation from service owners

  15. Securing Service Administration Accounts Secure service administrator accounts to control how the accounts are used Perform service administration tasks only from specific, secure workstations Avoid delegating security-sensitive operations Understand the capabilities of the default service administrator accounts Never share service administration accounts

  16. Limiting the Exposure of Service Administration Accounts Limit the number of service administrator accounts Separate administrative and user accounts for administrative users Hide the domain administrator account Assign trustworthy personnel Limit the Schema Admins group to temporary members Control the administrative logon process

  17. Demonstration 1: Configuring Restricted Group Membership • Configure the EnterpriseAdmins security group as a Restricted Group • Refresh Group Policy using GPUpdate

  18. Securing Data Administration Practices Restrict Group Policy application to trusted individuals Understand the concept of taking ownership of a data object Reserve ownership of directory partition root objects for service administrators Set object ownership quotas

  19. Protecting DNS Servers • Types of attacks include: • Spoofing • Cache pollution • Denial of service • To protect your DNS servers from these types of attacks: • Use IPSec between DNS clients and servers • Monitor network activity • Close all unused firewall ports

  20. Protecting DNS Data Use secure dynamic update Set quotas to limit registration of DNS resource records Ensure that DNS administrators are trusted Delegate administration of DNS data Use the appropriate routing mechanism for your environment Use separate internal and external DNS namespaces Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders

  21. Implementing Advanced Security for Servers Revision 1.1

  22. Windows Services and Security • Windows services are applications that run on computers regardless of whether a user is logged on • Any service or application is a potential point of attack • Gaining control of a service will compromise system security • Many services must be accessible from the network, which increases server vulnerability • The solution is to run as few services on Windows services as possible • Services authentication • All services must run in the security context of a security principal • As a best practice, use one of the Windows Server 2003 built-in accounts as the logon accounts for Windows services

  23. Services You Might Want to Disable

  24. Services You Should Not Disable

  25. Determining Service Dependencies Open the Services console Open the Service Properties dialog box Click the Dependencies tab

  26. Configuring Services on Servers That Perform Multiple Roles Apply the Member Server Baseline security template to all member servers Place member servers in a role-specific organizational unit Modify a role-specific security template to enable the services required by the additional roles to be performed on the server Use Group Policy to apply the modified template to the organizational unit that contains the servers that perform multiple roles

  27. Demonstration 2: Configuring Services using Security Templates • Use the Security Configuration and Analysis tool to analyze and compare service configurations • Export a customized security template

  28. Security Auditing • Administrators should establish an audit policy • When establishing an audit policy: • Analyze the threat model • Consider system and user capabilities • Test and refine the policy • Separate the security auditing role from the network administration role • Consider using centralized log monitoring tools such as: • Microsoft Operations Manager (MOM) • EventCombMT • Log Parser • SNMP • Microsoft Audit Collection Services (MACS)

  29. Microsoft Audit Collection Services Events subject to tampering Events under control of auditors Monitored Clients (Agent) Management System Event logs Real-Time Intrusion Detection Applications WMI Event logs Collector Forensic Analysis Monitored Servers (Agent) SQL (Database)

  30. Recommended Audit Policy Settings for Member Servers

  31. Demonstration 3: Using EventCombMT to View Event Logs Use EventCombMT to View Event Logs from Multiple Servers

  32. Best Practices for Securing Servers Apply the latest Service Packs and all available security updates Limit the number of administrators and the level of administrative permissions Run services with a system account that has the fewest possible permissions Harden servers Use Active Directory to enforce server security Have an emergency response plan

  33. Implementing Advanced Security for Clients Revision 1.1

  34. Using Security Templates on Clients Security templates can also define policy settings for securing client computers running on the Windows platform

  35. Using Domain-Level Account Policies Account Lockout Policies Account policies are applied to the domain level and affect all domain accounts Account Policies Domain Kerberos Policies

  36. Implementing Security Templates on Clients Examine the security templates in the Windows XP Security Guide Import the default templates into a GPO and modify if needed Deploy security templates using Group Policy objects

  37. Securing Legacy Clients • Windows 2000 clients can use security templates deployed through Group Policy • Configure other clients by using scripts or policy files: • Use logon scripts • Use system policies • Scripts

  38. Deployment Scenarios

  39. Security Guidelines for Users *These security guidelines can be fully or partially implemented through centralized policies

  40. Session Summary Identify potential security threats your Active Directory deployment Apply the latest security patches, limit the number of administrators, and evaluate the need for specific services Apply security templates to clients based upon the scenario or role of the workstations Use an encrypted VPN and multifactor authentication to secure remote user access Document all settings and use a formal change and configuration management strategy

  41. Next Steps • Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/default.mspx • Get additional security tools and content: http://www.microsoft.com/security/guidance • Get more information security articles http://www.acisonline.net

  42. Questions and Answers

  43. Need more information about Microsoft Solution, please contact ACIS Professional Center Co., Ltd.www.acisonline.net Revision 1.1

  44. Security Intelligence

More Related