Educause 2006 seminar 09f
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

EDUCAUSE 2006: Seminar 09F PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on
  • Presentation posted in: General

EDUCAUSE 2006: Seminar 09F. Effective Security Practices for Higher Education WINDOWS SECURITY John Bruggeman Director of Information Systems Hebrew Union College – Jewish Institute of Religion. Windows Security !. Agenda Top Vulnerabilities in Windows Systems (Is there anything new?)

Download Presentation

EDUCAUSE 2006: Seminar 09F

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Educause 2006 seminar 09f

EDUCAUSE 2006: Seminar 09F

Effective Security Practices for Higher Education

WINDOWS SECURITY

John Bruggeman

Director of Information Systems

Hebrew Union College – Jewish Institute of Religion


Windows security

Windows Security !

  • Agenda

    • Top Vulnerabilities in Windows Systems

      • (Is there anything new?)

    • Frequent Security mistakes

      • (Avoid being 0wn3d by a b0t)

    • Patching Windows

      • (What happened to cleaning them?)

    • Hardening Windows

      • (Tempered Glass doesn’t count!)

    • Tools and Tips

      • (What do the Pro’s use and Hackers use?)


Windows security1

Windows Security !?

  • Top Vulnerabilities in Windows Systems

    • From the SANS website www.sans.org

      • Windows Services

      • Internet Explorer

      • Windows Libraries

      • MS Office and Outlook Express

      • Windows Configuration Weaknesses


Windows security2

Windows Security !?

  • Top Vulnerabilities in Windows Systems

    • From the SANS website www.sans.org

      • Windows Services

        • Critical Vulnerabilities were discovered in these services in 2005

          • MSDTC and COM+ (MS05-051)

          • Print Spooler (MS05-043)

          • Plug and Play (MS05-047, 039)

          • Server Message Block Service (MS05-027, 011)

          • Exchange SMTP Service (MS05-021)

          • Message Queuing Service (MS05-017)

          • License Logging Service (MS05-010)

        • What to do?

          • Disable Service if possible

          • Scan for Vulnerabilities

          • PATCH


Windows security3

Windows Security !?

  • From the SANS Website www.sans.org

    2) Internet Explorer

    • Multiple vulnerabilities were discovered in 2005 in IE

      • Cummulative Security Patch (MS05-052, 038, 025, 020, 014,)

      • JView Profile Remote Code Execution (MS05-037)

      • Windows Shell Remote Code Execution (MS05-008)

    • How to mitigate

      • On XP, install SP2

      • On 2000, NT, keep patches current

      • Use DropMyRights from MS to lower IE privileges

      • Check your Broswer Helper Objects (BHO) for spyware

      • Disable Scripting and ActiveX


Windows security4

Windows Security !?

  • From the SANS Website www.sans.org

    3) Windows Libraries

    • DLL’s can have buffer overflow vulnerabilities

    • Vulnerabilties discovered in 2005

      • Windows Graphic Rendering Engine (MS05-053)

      • Microsoft Direct Show (MS05-036)

      • HTML Help remote code exec (MS05-026, 001)

      • Web View remote code exec (MS05-024)

      • Windows Shell remote code (MS05-049, 016)

      • PNG Image Processing remote code (MS05-009)

    • Patch your system and scan for vulnerabitlites

    • Use least privileges where possible

    • Filter IP ports 135-139, 445,

    • Use an IPS and IDS


Windows security5

Windows Security !?

  • From the SANS Website www.sans.org

    4) MS Office and Outlook Express

    • Attack vectors are email attachments, website documents, and news servers

    • Several critical vulnerabilities in 2005

      • Cumulative Security for Outlook Express (MS05-030)

      • Microsoft OLE and COM remote (MS05-012)

      • MS Office XP remote code exec (MS05-005)

      • MS Access – no patch yet available

    • Check your systems with a vulnerability scanner

    • Mitigate by patching, disable IE feature of opening Office documents

    • Configure Outlook with enhanced security


Windows security6

Windows Security !?

  • From the SANS Website www.sans.org

    5) Windows configuration Weaknesses

    • Weak passwords on accounts or network shares

      • LAN Manager hashes are weak and should be replaced with stronger more current hash techniques

      • Default configuration for servers and applications can open machines to password guessing.

      • MSDE ships with SA account set with a blank password.

      • Several worms take advantage of this, Voyager, Alpha Force, SQL Spida use known weak configurations to spread

    • Enforce a strong password policy

    • Prevent Windows from storing the LM hash in AD or the SAM

    • Disable NULL shares and restrict anonymous access


Windows security7

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Deirdre Hurley

      • www.sans.org/reading_room/whitepapers/windows/1016.php

  • Allowing Null Sessions

  • Weak Lockout Policies

  • Weak Account Policies

  • Multiple Trust relationships

  • Multiple Domain admin accounts

  • Audit logs turned off

  • Automatic Updates turned off


Windows security8

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Allowing Null Sessions

      • What is a Null session?

        • Net use \\10.1.1.1\ipc$ “” /user:””

      • So what?

        • You can download usernames, login information, lockout policy information, etc.

      • How do you disable one?

        • MS Security Policy MMC snap-in

        • Update registry key

        • \\HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

      • Tools to test

        • www.securityfriday.com/tools/GetAcct.html


Windows security9

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Weak Lockout Policies

      • If you don’t have one then brute force attacks can succeed

      • If you do have one it becomes more difficult

      • Suggested levels

        • Enable Account Lockout Threshold at 5 attempts

        • Enable Account Lockout Duration to 30 minutes

        • Disable Reset Account Lockout Threshold after

      • Also, enable Administrator account lockout

        • Get the ADSI Edit Snap-in from Windows 2000 support tools

        • http://support.microsoft.com/kb/885119/en-us


Windows security10

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Weak Account Policies

      • Be aware, local account policies on 2000 over ride domain account policies

      • Some admins create local users to match domain users

      • Forget to set the local Administrator password, sometimes leaving it blank

      • General rules for accounts and passwords

        • Maximum password age 90 days

        • Minimum password age 5 days

        • Minimum password length of at least 7 characters, 14 for Administrators

        • Password Uniqueness – remember 13 passwords


Windows security11

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Multiple Trust relationships

      • Limit the number of trusts in your domain

      • Fewer gaps, less that has to be guarded

      • Windows 2000 Tool to find out what trusts you have

        • NT Resource Kit - NLTEST


Windows security12

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Multiple Domain admin accounts

      • Avoid the mistake of having three or four (or more) Domain accounts, or having domain privileges with “normal” users

      • Use the practice of least privileges for all accounts

      • Change default passwords for typical accounts

        • Backup software

          • ArcServe, Tivoli, BackupExec

        • Test accounts

          • Test, dummy,

        • Lab accounts

        • Administrator accounts


Windows security13

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Audit logs turned off

      • By default audit logs are turned off

      • Hackers have tools like DUMPACL and DumpSec to find out if auditing is turned on or off

      • Recommend settings for Auditing

        • Account logon events (Success and Failures)

        • Logon Events

        • Account Management

        • Policy Changes

        • System Events

        • Object Access (Success and Failures)

          • Files, folders, and registry keys must then be set


Windows security14

Windows Security !?%

  • Frequent Mistakes made in Windows Security

    • Updates turned off

      • SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities.

      • SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit.

    • Need to patch systems and keep them current

      • Does require a patch management strategy

      • Will require time

      • Payoff is less downtime


Windows security15

Windows Security !?%#

  • Patching Windows

    • Rod Gode, UC Davis IT Security Symposium 2005

  • What to Patch and How to Patch

    • Options

      • Commercial

      • Microsoft Provided

    • Deployment and Testing

      • Get some test machines

    • Verification

      • MBSA


  • Windows security16

    Windows Security !?%#

    • Patching Windows

      • What to Patch

        • OS

        • Applications

        • BIOS

        • Firmware

      • Types of Patches from MS

        • Hotfix, Update, Critical Update, Security Patch, Update Roll-up, Service Pack


    Windows security17

    Windows Security !?%#

    • How to Patch

      • Develop a Plan

        • Hardware and Software Inventory

        • Patch management Policy & Process

        • Include a notification process

        • Track & check patch level

        • Download and test patches prior to deployment

        • Deploy patches

        • Audit workstations for compliance


    Windows security18

    Windows Security !?%#

    • How to Patch

      • Tools from Microsoft (MS)

        • Analysis tool from MS, Microsoft Baseline Security Analyzer (MBSA)

        • Online update services –

          • Microsoft Update, Windows Update, or Download Center

        • Push / Management tools

          • WSUS server, SMS server, Group Policies


    Windows security19

    Windows Security !?%#

    • How to Patch

      • Tools from Microsoft

        • Microsoft Update is different than Windows Update

          • MU updates all MS products not just windows

            • Office updates, Server product patches

        • WSUS is updated SUS server

          • New version coming out, WSUS 3.0 in Beta now

          • www.microsoft.com/wsus

          • Target client installs, selective client patching, uninstall options


    Windows security20

    Windows Security !?%#

    • How to Patch

      • Commercial Tools

        • Altiris Patch Management

          • www.altiris.com

        • BigFix Patch Manager

          • www.bigfix.com

        • Ecora Patch Manager

          • www.ecora.com

        • LanDesk Patch Management

          • www.landesk.com


    Windows security21

    Windows Security !?%#

    • Deployment Options

      • WSUS and SMS

      • Group Policy options (2000 & XP only)

        • Create an Install Package (MSI file) containing the patch, see KB article 257718 on how to do this

        • Store the MSI file on a network share

        • Assign the patch to groups via a group policy

        • Chose the assigned publishing method

        • Patch will be installed on assigned computers using the Windows installed program

      • Slipstream

        • Create an image w/ service packs and patches


    Windows security22

    Windows Security !?%#

    • Testing and Verification

      • Patch systems are not perfect, you need to test after patches have been applied

      • Tools

        • Microsoft Baseline Security Analyzer 2.0

          • Used for Windows 2000 + SP3 and later

          • Office XP and later

          • Exchange 2000 and later

        • Microsoft Baseline Security Analyzer 1.2.1

          • Office 200

          • Exchange 5.0 and 5.5


    Windows security23

    Windows Security !?%#

    • Testing and Verification

      • Commercial Tools

        • BindView - www.bindview.com

        • Computer Associates - www.ca.com

        • Network Associates – www.nai.com

        • Symantec – www.symantec.com

        • Trend Micro – www.trendmicro.com

        • Foundstone – www.foundstone.com


    Windows security24

    Windows Security !!

    • Hardening Windows

      • Advanced Information Assurance Handbook, CERT

  • Hardening techniques

    • Limit services

    • Limit applications

    • Limit protocols

  • Intrusion Protection techniques

    • Software options to monitor file changes

    • Host based firewalls

  • Tools from Microsoft


  • Windows security25

    Windows Security !!

    • Hardening Windows

      • Hardening techniques

        • Limit services

          • Verify what services are needed

          • On servers, usually these can be disable

            • IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others.

          • On workstations disable unless needed

            • Fax service, Indexing service, messenger, Telnet, others

            • Enable firewall


    Windows security26

    Windows Security !!

    • Hardening Windows

      • Hardening techniques

        • Limit applications

          • Verify what applications are needed, many can be removed without impacting functionality

          • On servers, usually you can remove the following

            • Outlook Express, IIS, Media Player, Journal viewer, Games, POSIX, OS2 subsystem

          • On workstations, usually you can remove the same

          • Limit what applications end users can run

          • Do not allow end users to install applications


    Windows security27

    Windows Security !!

    • Hardening Windows

      • Hardening techniques

        • Limit protocols

          • Verify what protocols are needed for your network

            • On servers normally TCP/IP is sufficient

            • On workstations normally TCP/IP is all that is needed

            • Remove IPX/SPX, NetBios,

        • Limit Network devices

          • Bluetooth (disable unless needed)

          • Wireless (disable unless needed)

          • Firewire (disable unless needed)


    Windows security28

    Windows Security !!

    • Hardening Windows

      • Firewalls

        • Host based firewalls

          • Server options

            • Windows 2003 SP1 firewall option

          • Workstation options

            • XP SP2, ZoneAlarm, Tiny Personal Firewall

            • 85 listed on Download.com

          • IPSEC

            • Encrypt traffic from host to host


    Windows security29

    Windows Security !!

    • Hardening Windows

      • Intrusion Protection Systems

        • IPS vs IDS

          • Why detect when you can protect?

          • Signature vs Anomoly

        • IPS can be host or network based

        • IPS Host options

          • EEye BLINK, Prevx Home

        • IDS host options

          • SFC System File Check from MS (can be spoofed)

          • LanGuard

        • IPS Network options

          • Forescout, Tipping Point, McAfee, ISS are options


    Windows security30

    Windows Security !!

    • Hardening Windows

      • Tools from Microsoft

        • www.microsoft.com/technet/security/tools

      • MBSA 2.0

      • Microsoft Enterprise Scan Tool

      • Security Assessment Tool

      • IIS Lockdown Tool

        • Hardens ISS

      • URLScan Security Tool

        • Included in IIS lockdown tool

      • Cipher Security Tool

        • Shredder for deleted files

      • Port Reporter

        • Logging tool for TCP and UDP activity on XP, 2003, 2000


    Windows security31

    Windows Security :-)

    • Tools and Techniques

      • Shareware tools

        • MetaSploit

          • Framework for testing exploits

        • Nessus

          • Scanning tool to check for vulnerabilities

        • Ethereal

          • Packet sniffer


    Windows security32

    Windows Security :-)

    • Tools and Techniques

      • Shareware Tools

        • MetaSploit

          • DEMO

        • Nessus

          • DEMO

        • Ethereal

          • DEMO


    Windows security33

    Windows Security :-)

    • Resources

      • www.educause.edu/security

      • www.microsoft.com/technet/security

      • www.sans.org/reading_room/whitepapers/windows

      • www.securityfriday.com

      • www.cert.org

      • www.hackingexposed

      • www.incidents.org


  • Login