Hardening Active DirectoryHardening Active DirectoryWindows 2000/20003Windows 2000/20003Network InfrastructureNetwork Infrastructure

Presented by: James PlacerSenior Security Analyst , ISG

James PlacerJames Placer Over 17 years of IT and Security experience.

Certifications: Cisco CCSP, CCDP, CCNP Checkpoint CCSE, NSA InfoSec 4011, Microsoft MCSE 2000 and is a contributing author to two Cisco certification books.

Authored and contributed to numerous trade magazine articles in the security field.

AgendaAgenda

Current State of Network Security Security Policy DevelopmentSecurity ApplicationArchitecture and SecurityConfiguring AD Hardening Servers and ClientsQuestions

Cert Coordination Center Cert Coordination Center StatisticsStatistics

Cert: Number of Incidents Per Year

0 20000 40000 60000 80000 100000

1999

2000

2001

2002

1Q-2Q 2003

Yea

r

Number of Incidents

Threat Capabilities:Threat Capabilities:More Dangerous & Easier To UseMore Dangerous & Easier To Use

Sophistication of Hacker Tools

Packet Forging/ Spoofing

19901980

Password Guessing

Self Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Back Doors

Sweepers

Sniffers

Stealth Diagnostics

Technical Knowledge Required

High

Low 2000

DDOS

Internet Worms

2002 FBI Security Survey 2002 FBI Security Survey ResultsResults

92% of surveyed companies were hacked in 2002

90% of surveyed companies have firewalls in place

82% of the companies hacked suffered financial losses totaling over $464 million

70% of hacks are internal

ExternalExploitation

ExternalExploitation

75% Vulnerable(95+% Vulnerable Externally with Secondary Exploitation)

75% Vulnerable(95+% Vulnerable Externally with Secondary Exploitation)

Internet

Vulnerabilities to Network AttackVulnerabilities to Network Attack

100% Vulnerable100% Vulnerable

InternalExploitation

InternalExploitation

Dial-InExploitation

Dial-InExploitation

65+% Vulnerable65+% Vulnerable

Security Policy Security Policy DevelopmentDevelopment

70% of companies who reported that they were hacked also stated that they lacked a current security policy, and that the lack of a security policy was the primary contributor.

W5W5WHAT do you need to protect?WHO needs access to it?WHY do they need access?From WHERE do they need access

to it?WHEN do they need access?

State and Federal Statutes State and Federal Statutes affecting Securityaffecting Security

• Feingold / California Break Law • - Expect federal statute in eight months

• Sarbanes Oxley Act• Gramm Leach Bliley Act• HIPAA• FDA 21CFR11• ISO 17999

Security is a Security is a process not a process not a Product or a Product or a

Reaction!Reaction!

Security Policy Security Policy ApplicationApplication

Appropriate Design and ArchitectureAppropriate Monitoring and

AccountabilityAppropriate Change ManagementAppropriate TechnologyAppropriate User Awareness

Training

Architecture Is Architecture Is Fundamental to SecurityFundamental to SecurityDomain ControllersAuthentication ServersWeb ServersFile and Print ServersBastion Hosts, IAS servers, etc

Ultimate Architecture Ultimate Architecture GoalGoal

One ServiceOne SystemOne Appropriately Secured SystemPractically speaking. May not be

possible More Services lead to More

Vulnerabilities

Architecture StepsArchitecture Steps

Define Physical ArchitectureDefine Server RolesDefine Server ServicesDefine Security Levels Required Define Physical Security

Guidelines

Determine Appropriate Determine Appropriate Security LevelSecurity Level

Windows SecurityWindows SecurityWindows 2003 / 2000 is Common

Criteria Certified Extreme levels of security are

possible but compatibility and performance will be degraded

Level of Hardening is a business decision based or business requirements.

Securing ADSecuring AD

Organizational Unit Design Organizational Unit

permissionsInheritanceServer SecurityNetwork Security

Windows Policy Windows Policy PrecedentPrecedent

Define OU’s for all Define OU’s for all Functional Server Functional Server

Groups Groups Include Administration Include Administration

and Infrastructureand Infrastructure

Apply OU PoliciesApply OU Policies2003 ships with extensive default

OU policies. Store on single Domain

ControllerMember Servers, Domain

Controllers, File Servers, print Servers

Infrastructure, IIS, Bastion, Etc

Secure User GroupsSecure User GroupsCreate appropriate User OU’s Apply default templates if

appropriateCreate Custom templates as

neededReview Microsoft “Threats and

Countermeasures Guide” for appropriate settings

Hardening ServersHardening ServersWindows 2003 / 2000 is Common

Criteria Certified Extreme levels of security are

possible but compatibility and performance will be degraded

Level of Hardening is a business decision based or business requirements.

Hardening Servers Cont.Hardening Servers Cont.

Configurations beyond the default hardening settings in the MMC settings

May involve third party products, ie IPS systems.

Determine what level of service is acceptable.

Bastion HostsBastion Hosts

Externally accessible Servers, IE Web, DNS

High Attack ProbabilityMust be Tightly Controlled

Bastion Hosts cont.Bastion Hosts cont.

DELETE, not disable, any extra services

Use DEPENDS from the resource kit to determine dependencies

Should be one service to one server Not published or integrated into AD, No

internal access ideally.

Bastion Hosts cont.Bastion Hosts cont.

Rename all accounts Create dummy administrator account with no

rights for logging USE EFS if possible Use IP security and log. Enable local logon only. Lock down further as appropriate. Scan for vulnerabilities regularly,

ie.Languard, Nessus, NMAP

Internal Server Internal Server HardeningHardening

Security rests on 6 items 1.Secure the system 2. Secure the database 3. Securing the replication 4. Securing normal access methods 5. Securing the objects 6. Audit Scan for changes. ie. Tripwire Scan for vulnerabilities regularly, ie.Languard,

Nessus, NMAP, MCC

Internal Server Internal Server Hardening cont.Hardening cont.

USE EFS WHERE POSSIBLE USE XCACLES and MCC Audit TO VERIFY FILE

PERMISSIONS AND RIGHTS Use root forest controller as NTP server Use Ipsec filtering Tighten the system drive Audit the critical operations such as policy data

and critical file access Block access to ports that can be used to

access the AD if not required.

Internal Server Internal Server Hardening cont.Hardening cont.

Install service packs and hotfixes Remove OS2 and Posix registry values Delete associated files Enable DNS scavenging and do it rigorously Clean up anonymous registry access Tighten the system drive Use NTLM v2 only for authentication Test and retest ( Tripwire for baseline, languard,

nmap, nessus, MBSA, MCC) .

Client HardeningClient Hardening Eliminate Win 9X from environment Use NTFS / EFS exclusively on hard drives Use NTLM v2 authentication only. Disable file and print sharing Do not allow local administrative rights! Pay attention to remote VPN clients! Scan network frequently Use internal client IPS if available

Tools and ReferencesTools and References NSA Server Security Guideshttp://nsa2.www.conxion.com/win2k/ Microsoft “Threats and Countermeasures Guide”“Windows Server 2003 Security Guide”“ Windows 2000 Common Criteria Guide”Windows 2000 / 2003 resource kit

www.Nessus.org Vulnerability Scanner

Tools and References Tools and References cont.cont.

www.Languard.comvulnerabiltiy and device scanner.

NMAPFport from Foundstone.comTripwire. File integrity checker.

Commercial but excellent product

Q&AQ&A

Contact Information:

Email: jplacer@goisg.com

Phone: (616) 393 7250