1 / 41

Applied Security Strategies

Applied Security Strategies. Michael Anderberg Senior Systems Engineer, Windows Platform Microsoft AB. Session Prerequisites. Understanding of enterprise security challenges Knowledge of securing computers by using Group Policy Understanding of remote access basics

freya
Download Presentation

Applied Security Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Security Strategies Michael Anderberg Senior Systems Engineer, Windows Platform Microsoft AB

  2. Session Prerequisites • Understanding of enterprise security challenges • Knowledge of securing computers by using Group Policy • Understanding of remote access basics • Knowledge of how to apply security patches Level 300

  3. Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations

  4. Defense in Depth • Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, update management, authentication, HIDS Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine Perimeter Guards, locks, tracking devices User education

  5. Common Security Challenges • Patch management: beyond the basics • Remote access security • Troubleshooting security policies

  6. Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations

  7. Importance of Proactive Patch Management

  8. Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture C. Review infrastructure/ configuration Ongoing Tasks A. Discover assets B. Inventory clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance C. Verify patch authenticity and integrity 1. Assess 2. Identify 3. Evaluate and Plan 4. Deploy 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 3. Evaluate and PlanPatch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing

  9. Monitoring Patch Status • Subscribe to notification services • Microsoft Security Notification Service • Third-party mailing lists • Check websites • www.microsoft.com/technet/security • Product-specific pages • Third-party sites • Implement regular review and deployment schedule • Microsoft’s patch release schedule: second Tuesday of each month • Exception: customers are at immediate risk • Configure automated tools to check for new updates daily

  10. When to Apply Patches • Apply as soon as possible • Apply only after testing • Implement mitigating measures • Apply according to severity rating

  11. Microsoft Tools for Patch Management

  12. MBSA  Benefits • Automates identification of missing security patches and security configuration issues • Allows administrator to centrally scan a large number of systems simultaneously • Works with a broad range of Microsoft software (not just Windows and Office)

  13. MBSA – How It Works • MSSecure.xml contains • Security bulletin names • Product-specific updates • Version and checksum info • Registry keys changed • KB article numbers • Run MBSA on Admin system; specify targets • Downloads CAB file with MSSecure.xml and verifies digital signature MicrosoftDownload Center MSSecure.xml • Scans target systems for OS, OS components, and applications • Parses MSSecure to see if updates are available • Checks if required updates are missing MBSAComputer • Generates time-stamped report of missing updates

  14. Automating Detection with MBSA • MBSA Scan (GUI) • Performs well for small and medium-size networks • MBSA Scan (mbsacli.exe) • Performs automated scans using command-line parameters • Example: mbsacli /d mydomain /f report.txt • MBSA Scan in HFNetChk mode (mbsacli.exe /hf) • Performs automated scans using command-line parameters • Checks for missing patches only • Example: mbssacli -hf -o tab –f report.txt • MBSA and Windows Update might show different results

  15. Automating Patch Distribution and Monitoring with SUS • Performs pull installations of service packs, security rollup packages, and critical updates • Gives administrators control over software updates • Prevents unauthorized installations when SUS is used with Automatic Updates • Allows for staging and testing • Works only for Windows 2000 and later

  16. Domain SUS Test GPO Member Server GPO Member Servers SUS Test HO GPO HO Workstations RO1 GPO RO1 Workstations RO2 GPO RO2 Workstations Managing a Complex SUS Environment • Centrally manage downloading and approving updates • Use OU structure and GPOs to manage SUS update distribution • Use the WUAU.ADM template file to configure AU client settings • Assign GPOs to OUs

  17. Using Management Software to Distribute and Apply Patches • System Management Server (SMS) 2003 • Gives administrators control over patch management • Automates the patch management process • Updates a broad range of Microsoft products • Updates third-party software • Provides flexibility by using scripts • Third-Party Solutions • Integrates with third-party solutions through scripting

  18. Third-Party Solutions

  19. Patching Microsoft Office • Office Inventory Tool • Office Update • Office patches require the original files • Office 2003 caches installation files • Installation points patching

  20. Best Practices for Successful Patch Management • Use a change control process • Read all related documentation • Apply updates only as needed • Test updates thoroughly • Ensure consistency across domain controllers • Back up your system, and schedule production downtime • Always have a rollback plan • Forewarn help desk and key user groups • Target non-critical servers first

  21. Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations

  22. RAS Server & Firewall on Same Computer RAS Server Behind Firewall RAS Server VPN Clients RAS Server VPN Clients VPNs and Firewalls • Combining a firewall with a VPN server

  23. VPN Server Behind a Firewall • Challenge: Allow the firewall to pass traffic to the VPN server • Challenge: Stateful inspection

  24. Using ISA Server as a VPN Server and a Firewall

  25. NAT1 Hdr NAT2 Hdr NAT1 Hdr NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data NAT1 Hdr NAT2 Hdr Contains an encrypted hash of the original packet header Challenges of Using IPSec and NAT • Packet header is modified, invalidating packets • IKE uses IP fragments • NAT devices that assume tunnel mode

  26. Solution Model • IETF draft on NAT Traversal (NAT-T) recommends that devices on both ends should: • Detect the presence of NAT • Use a non-IPSec port so that NAT devices do not interfere with network traffic • Encapsulate IPSec in UDP • In addition, the Microsoft solution prevents IP fragments

  27. NAT1 Hdr NAT2 Hdr NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr ESP Hdr TCP Hdr Data Insert Orig IP Hdr UDP src 4500, dst 4500 ESP Hdr Rest… Sent by A Orig IP Hdr UDP src XXX, dst 4500 ESP Hdr Rest… Rcvd by B How NAT-T Works

  28. Interoperability Issues • VPN client and VPN server must support NAT-T • Issues with third-party devices • Better interoperability as time goes on • NAT devices do not need any changes • Firewall support • Allow UDP 4500 traffic • Allow UDP 500 traffic

  29. NAT-T Status for Windows • Implemented to IETF Proposed Standard • Interoperability tested with third-party gateways for L2TP/IPSec • Intended for L2TP/IPSec in WindowsXP and earlier • Intended for all IPSec uses in Windows Server 2003 Note 1: Windows Update or hot fix Note 2: With hot fix Note 3: With Web download Note 4: Active FTP does not work Note 5: Some PTMU reductions do not work

  30. Enforcing Remote Access Client Security • Problem: • Remote clients might not meet corporate security requirements • Insecure computers on the corporate network endanger the entire network • Solutions: • Disallow remote access • Trust users to keep remote clients secure • Create a separate network for VPN clients • Enforce security settings upon connecting • Disconnect clients that are not secure: Network Access Quarantine Control

  31. Quarantine Internet RAS Client RRAS Server IAS Server Connect Authenticate Authorize Quarantine andOther Filters Quarantine Access Policy Check Result Remove Quarantine Full Access The Quarantine Process

  32. Agenda • Introduction • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations

  33. Resolving Security Template Conflicts • Use Resultant Set of Policies (RSoP) tools • Active Directory management tools • Group Policy Results from the GPMC • GPResult

  34. Troubleshooting Application Failures • Applying security patches or security templates might prevent applications from working • Tools for troubleshooting application failures • Network Monitor • File Monitor • Registry Monitor • Dependency Walker • Cipher

  35. Troubleshooting Services and Processes • You may need to troubleshoot services: • When services and processes fail to start • To confirm that all services and processes are legitimate • Tools to troubleshoot processes: • Tlist.exe or Process Explorer • Dependency Walker • Examine DLL properties

  36. Troubleshooting Network Connectivity Issues • Ensure that only required ports are open on the computers • Tools for determining port usage: • Netstat –o (on Windows XP or Windows Server 2003) • Task Manager • Test port usage for applications and services

  37. Best Practices for Troubleshooting • Use a formal change and configuration management strategy for all security changes • Test all security configuration changes • Use RSOP tools in planning mode • Document the normal settings • Have a rollback strategy • Troubleshoot securely

  38. Session Summary • Real-World Patch Management Strategies • Real-World Remote Access Strategies • Troubleshooting Security Configurations

  39. For More Information • Microsoft Security Site (all audiences) • http://www.microsoft.com/security • TechNet Security Site (IT professionals) • http://www.microsoft.com/technet/security • MSDN Security Site (developers) • http://msdn.microsoft.com/security

More Related