educause 2006 seminar 09f n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
EDUCAUSE 2006: Seminar 09F PowerPoint Presentation
Download Presentation
EDUCAUSE 2006: Seminar 09F

Loading in 2 Seconds...

play fullscreen
1 / 35

EDUCAUSE 2006: Seminar 09F - PowerPoint PPT Presentation


  • 301 Views
  • Uploaded on

EDUCAUSE 2006: Seminar 09F . Effective Security Practices for Higher Education WINDOWS SECURITY John Bruggeman Director of Information Systems Hebrew Union College – Jewish Institute of Religion. Windows Security !. Agenda Top Vulnerabilities in Windows Systems (Is there anything new?)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'EDUCAUSE 2006: Seminar 09F' - jana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
educause 2006 seminar 09f
EDUCAUSE 2006: Seminar 09F

Effective Security Practices for Higher Education

WINDOWS SECURITY

John Bruggeman

Director of Information Systems

Hebrew Union College – Jewish Institute of Religion

windows security
Windows Security !
  • Agenda
    • Top Vulnerabilities in Windows Systems
      • (Is there anything new?)
    • Frequent Security mistakes
      • (Avoid being 0wn3d by a b0t)
    • Patching Windows
      • (What happened to cleaning them?)
    • Hardening Windows
      • (Tempered Glass doesn’t count!)
    • Tools and Tips
      • (What do the Pro’s use and Hackers use?)
windows security1
Windows Security !?
  • Top Vulnerabilities in Windows Systems
    • From the SANS website www.sans.org
      • Windows Services
      • Internet Explorer
      • Windows Libraries
      • MS Office and Outlook Express
      • Windows Configuration Weaknesses
windows security2
Windows Security !?
  • Top Vulnerabilities in Windows Systems
    • From the SANS website www.sans.org
      • Windows Services
        • Critical Vulnerabilities were discovered in these services in 2005
          • MSDTC and COM+ (MS05-051)
          • Print Spooler (MS05-043)
          • Plug and Play (MS05-047, 039)
          • Server Message Block Service (MS05-027, 011)
          • Exchange SMTP Service (MS05-021)
          • Message Queuing Service (MS05-017)
          • License Logging Service (MS05-010)
        • What to do?
          • Disable Service if possible
          • Scan for Vulnerabilities
          • PATCH
windows security3
Windows Security !?
  • From the SANS Website www.sans.org

2) Internet Explorer

      • Multiple vulnerabilities were discovered in 2005 in IE
        • Cummulative Security Patch (MS05-052, 038, 025, 020, 014,)
        • JView Profile Remote Code Execution (MS05-037)
        • Windows Shell Remote Code Execution (MS05-008)
      • How to mitigate
        • On XP, install SP2
        • On 2000, NT, keep patches current
        • Use DropMyRights from MS to lower IE privileges
        • Check your Broswer Helper Objects (BHO) for spyware
        • Disable Scripting and ActiveX
windows security4
Windows Security !?
  • From the SANS Website www.sans.org

3) Windows Libraries

      • DLL’s can have buffer overflow vulnerabilities
      • Vulnerabilties discovered in 2005
        • Windows Graphic Rendering Engine (MS05-053)
        • Microsoft Direct Show (MS05-036)
        • HTML Help remote code exec (MS05-026, 001)
        • Web View remote code exec (MS05-024)
        • Windows Shell remote code (MS05-049, 016)
        • PNG Image Processing remote code (MS05-009)
      • Patch your system and scan for vulnerabitlites
      • Use least privileges where possible
      • Filter IP ports 135-139, 445,
      • Use an IPS and IDS
windows security5
Windows Security !?
  • From the SANS Website www.sans.org

4) MS Office and Outlook Express

      • Attack vectors are email attachments, website documents, and news servers
      • Several critical vulnerabilities in 2005
        • Cumulative Security for Outlook Express (MS05-030)
        • Microsoft OLE and COM remote (MS05-012)
        • MS Office XP remote code exec (MS05-005)
        • MS Access – no patch yet available
      • Check your systems with a vulnerability scanner
      • Mitigate by patching, disable IE feature of opening Office documents
      • Configure Outlook with enhanced security
windows security6
Windows Security !?
  • From the SANS Website www.sans.org

5) Windows configuration Weaknesses

      • Weak passwords on accounts or network shares
        • LAN Manager hashes are weak and should be replaced with stronger more current hash techniques
        • Default configuration for servers and applications can open machines to password guessing.
        • MSDE ships with SA account set with a blank password.
        • Several worms take advantage of this, Voyager, Alpha Force, SQL Spida use known weak configurations to spread
      • Enforce a strong password policy
      • Prevent Windows from storing the LM hash in AD or the SAM
      • Disable NULL shares and restrict anonymous access
windows security7
Windows Security !?%
  • Frequent Mistakes made in Windows Security
      • Deirdre Hurley
        • www.sans.org/reading_room/whitepapers/windows/1016.php
    • Allowing Null Sessions
    • Weak Lockout Policies
    • Weak Account Policies
    • Multiple Trust relationships
    • Multiple Domain admin accounts
    • Audit logs turned off
    • Automatic Updates turned off
windows security8
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Allowing Null Sessions
      • What is a Null session?
        • Net use \\10.1.1.1\ipc$ “” /user:””
      • So what?
        • You can download usernames, login information, lockout policy information, etc.
      • How do you disable one?
        • MS Security Policy MMC snap-in
        • Update registry key
        • \\HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
      • Tools to test
        • www.securityfriday.com/tools/GetAcct.html
windows security9
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Weak Lockout Policies
      • If you don’t have one then brute force attacks can succeed
      • If you do have one it becomes more difficult
      • Suggested levels
        • Enable Account Lockout Threshold at 5 attempts
        • Enable Account Lockout Duration to 30 minutes
        • Disable Reset Account Lockout Threshold after
      • Also, enable Administrator account lockout
        • Get the ADSI Edit Snap-in from Windows 2000 support tools
        • http://support.microsoft.com/kb/885119/en-us
windows security10
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Weak Account Policies
      • Be aware, local account policies on 2000 over ride domain account policies
      • Some admins create local users to match domain users
      • Forget to set the local Administrator password, sometimes leaving it blank
      • General rules for accounts and passwords
        • Maximum password age 90 days
        • Minimum password age 5 days
        • Minimum password length of at least 7 characters, 14 for Administrators
        • Password Uniqueness – remember 13 passwords
windows security11
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Multiple Trust relationships
      • Limit the number of trusts in your domain
      • Fewer gaps, less that has to be guarded
      • Windows 2000 Tool to find out what trusts you have
        • NT Resource Kit - NLTEST
windows security12
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Multiple Domain admin accounts
      • Avoid the mistake of having three or four (or more) Domain accounts, or having domain privileges with “normal” users
      • Use the practice of least privileges for all accounts
      • Change default passwords for typical accounts
        • Backup software
          • ArcServe, Tivoli, BackupExec
        • Test accounts
          • Test, dummy,
        • Lab accounts
        • Administrator accounts
windows security13
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Audit logs turned off
      • By default audit logs are turned off
      • Hackers have tools like DUMPACL and DumpSec to find out if auditing is turned on or off
      • Recommend settings for Auditing
        • Account logon events (Success and Failures)
        • Logon Events
        • Account Management
        • Policy Changes
        • System Events
        • Object Access (Success and Failures)
          • Files, folders, and registry keys must then be set
windows security14
Windows Security !?%
  • Frequent Mistakes made in Windows Security
    • Updates turned off
      • SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities.
      • SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit.
    • Need to patch systems and keep them current
      • Does require a patch management strategy
      • Will require time
      • Payoff is less downtime
windows security15
Windows Security !?%#
  • Patching Windows
        • Rod Gode, UC Davis IT Security Symposium 2005
    • What to Patch and How to Patch
      • Options
        • Commercial
        • Microsoft Provided
      • Deployment and Testing
        • Get some test machines
      • Verification
        • MBSA
windows security16
Windows Security !?%#
  • Patching Windows
    • What to Patch
      • OS
      • Applications
      • BIOS
      • Firmware
    • Types of Patches from MS
      • Hotfix, Update, Critical Update, Security Patch, Update Roll-up, Service Pack
windows security17
Windows Security !?%#
  • How to Patch
    • Develop a Plan
      • Hardware and Software Inventory
      • Patch management Policy & Process
      • Include a notification process
      • Track & check patch level
      • Download and test patches prior to deployment
      • Deploy patches
      • Audit workstations for compliance
windows security18
Windows Security !?%#
  • How to Patch
    • Tools from Microsoft (MS)
      • Analysis tool from MS, Microsoft Baseline Security Analyzer (MBSA)
      • Online update services –
        • Microsoft Update, Windows Update, or Download Center
      • Push / Management tools
        • WSUS server, SMS server, Group Policies
windows security19
Windows Security !?%#
  • How to Patch
    • Tools from Microsoft
      • Microsoft Update is different than Windows Update
        • MU updates all MS products not just windows
          • Office updates, Server product patches
      • WSUS is updated SUS server
        • New version coming out, WSUS 3.0 in Beta now
        • www.microsoft.com/wsus
        • Target client installs, selective client patching, uninstall options
windows security20
Windows Security !?%#
  • How to Patch
    • Commercial Tools
      • Altiris Patch Management
        • www.altiris.com
      • BigFix Patch Manager
        • www.bigfix.com
      • Ecora Patch Manager
        • www.ecora.com
      • LanDesk Patch Management
        • www.landesk.com
windows security21
Windows Security !?%#
  • Deployment Options
    • WSUS and SMS
    • Group Policy options (2000 & XP only)
      • Create an Install Package (MSI file) containing the patch, see KB article 257718 on how to do this
      • Store the MSI file on a network share
      • Assign the patch to groups via a group policy
      • Chose the assigned publishing method
      • Patch will be installed on assigned computers using the Windows installed program
    • Slipstream
      • Create an image w/ service packs and patches
windows security22
Windows Security !?%#
  • Testing and Verification
    • Patch systems are not perfect, you need to test after patches have been applied
    • Tools
      • Microsoft Baseline Security Analyzer 2.0
        • Used for Windows 2000 + SP3 and later
        • Office XP and later
        • Exchange 2000 and later
      • Microsoft Baseline Security Analyzer 1.2.1
        • Office 200
        • Exchange 5.0 and 5.5
windows security23
Windows Security !?%#
  • Testing and Verification
    • Commercial Tools
      • BindView - www.bindview.com
      • Computer Associates - www.ca.com
      • Network Associates – www.nai.com
      • Symantec – www.symantec.com
      • Trend Micro – www.trendmicro.com
      • Foundstone – www.foundstone.com
windows security24
Windows Security !!
  • Hardening Windows
        • Advanced Information Assurance Handbook, CERT
    • Hardening techniques
      • Limit services
      • Limit applications
      • Limit protocols
    • Intrusion Protection techniques
      • Software options to monitor file changes
      • Host based firewalls
    • Tools from Microsoft
windows security25
Windows Security !!
  • Hardening Windows
    • Hardening techniques
      • Limit services
        • Verify what services are needed
        • On servers, usually these can be disable
          • IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others.
        • On workstations disable unless needed
          • Fax service, Indexing service, messenger, Telnet, others
          • Enable firewall
windows security26
Windows Security !!
  • Hardening Windows
    • Hardening techniques
      • Limit applications
        • Verify what applications are needed, many can be removed without impacting functionality
        • On servers, usually you can remove the following
          • Outlook Express, IIS, Media Player, Journal viewer, Games, POSIX, OS2 subsystem
        • On workstations, usually you can remove the same
        • Limit what applications end users can run
        • Do not allow end users to install applications
windows security27
Windows Security !!
  • Hardening Windows
    • Hardening techniques
      • Limit protocols
        • Verify what protocols are needed for your network
          • On servers normally TCP/IP is sufficient
          • On workstations normally TCP/IP is all that is needed
          • Remove IPX/SPX, NetBios,
      • Limit Network devices
        • Bluetooth (disable unless needed)
        • Wireless (disable unless needed)
        • Firewire (disable unless needed)
windows security28
Windows Security !!
  • Hardening Windows
    • Firewalls
      • Host based firewalls
        • Server options
          • Windows 2003 SP1 firewall option
        • Workstation options
          • XP SP2, ZoneAlarm, Tiny Personal Firewall
          • 85 listed on Download.com
        • IPSEC
          • Encrypt traffic from host to host
windows security29
Windows Security !!
  • Hardening Windows
    • Intrusion Protection Systems
      • IPS vs IDS
        • Why detect when you can protect?
        • Signature vs Anomoly
      • IPS can be host or network based
      • IPS Host options
        • EEye BLINK, Prevx Home
      • IDS host options
        • SFC System File Check from MS (can be spoofed)
        • LanGuard
      • IPS Network options
        • Forescout, Tipping Point, McAfee, ISS are options
windows security30
Windows Security !!
  • Hardening Windows
    • Tools from Microsoft
        • www.microsoft.com/technet/security/tools
      • MBSA 2.0
      • Microsoft Enterprise Scan Tool
      • Security Assessment Tool
      • IIS Lockdown Tool
        • Hardens ISS
      • URLScan Security Tool
        • Included in IIS lockdown tool
      • Cipher Security Tool
        • Shredder for deleted files
      • Port Reporter
        • Logging tool for TCP and UDP activity on XP, 2003, 2000
windows security31
Windows Security :-)
  • Tools and Techniques
    • Shareware tools
      • MetaSploit
        • Framework for testing exploits
      • Nessus
        • Scanning tool to check for vulnerabilities
      • Ethereal
        • Packet sniffer
windows security32
Windows Security :-)
  • Tools and Techniques
    • Shareware Tools
      • MetaSploit
        • DEMO
      • Nessus
        • DEMO
      • Ethereal
        • DEMO
windows security33
Windows Security :-)
  • Resources
      • www.educause.edu/security
      • www.microsoft.com/technet/security
      • www.sans.org/reading_room/whitepapers/windows
      • www.securityfriday.com
      • www.cert.org
      • www.hackingexposed
      • www.incidents.org