Upload
shawn-davis
View
217
Download
0
Embed Size (px)
Citation preview
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
EDUCAUSE Midwest Regional 2008
Effective Windows
Desktop Security
XP and VistaJohn Bruggeman, [email protected]
Director of Information Systems
Hebrew Union College – Jewish Institute of Religion
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Windows Desktop Security !
Agenda Windows Security
• Defense in Depth– 4 walls of protection
• Top Vulnerabilities• XP and Vista
EDUCAUSE Security Taskforce Effective Practices• EP’s on many areas, not just Windows
Tools that work• Comodo Firewall, Spybot Tea Timer, MBSA, • Demo Spybot & Comodo
Questions & Answers
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Copyright Notice
Copyright John Bruggeman, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Who am I?
John Bruggeman Director of Information Systems (and
Telecommunications) Hebrew Union College – Jewish Institute of Religion
• 4 Campus – LA, NY, Cincinnati, Jerusalem• Responsible for all IS and Telcom issues• 4 staff (one per campus plus one Website Manager)
GSEC certified in 2003, recertified in 2005 GCWN certified in 2008 (Windows Security) Active in INFRAGARD and EDUCAUSE Security
Task Force Advocate for IT Security –
• We are only as secure as our weakest link!
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth
4 Layers of Defense – 4 Walls Wall 1 – Blocking attacks at the Network (IPS and IDS)
• Tools to use at the Network, beyond a traditional firewall
Wall 2 – Blocking attacks at the Host (IPS and IDS)• Tools to use on the PC
– Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware
Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20)• Windows Vulnerabilities
Wall 4 - Safely supporting Authorized Users• Balancing security and access
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Layer 1 – Blocking Attacks at the Network IPS (Intrusion Protection Systems)
• Block traffic before it penetrates• Checks “content” of traffic and allows or denies
IDP (Intrusion Detection Systems)• Notices when a system has been compromised (post attack)
Firewall / Malware detection at the perimeter• Classic firewalls are being replaced with IPS devices• Appliance Firewalls for small institutions
– 3 Com Office Connect, Fortinet, Sonic Wall
• Big Iron for large institutions– Check Point, Juniper
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth – cont.
Layer 2 – Blocking Attacks at the Host Host Intrusion Prevention Systems
• Spybot TeaTimer, Symantec AV & IPS– Blocks un-authorized application loading – AV IPS use behavior patterns not static patterns
Personal Firewalls• Comodo Firewall / IPS, ZoneAlarm
– Same as hardware firewalls, allows only allowed traffic– Stealth mode hides computer from hacker scans– Egress filtering helps deter “phone home” by Trojans
• XP SP2 aka Internet Connection Firewall– ICF overview
» ICF stateful packet filter, “unfriendly” user interface» No egress filtering, no immediate notifaction
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Comodo Firewall
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth - cont
Windows Vista security features include: Hardened services User Account Control (UAC) Windows Defender (Anti-Spyware) Windows Firewall enhancements Network Access Protection Internet Explorer Protected Mode Phishing Filter BitLocker Drive Encryption Rights management
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Rights Management Services (RMS)
SharePoint, Exchange, Windows Mobile integration
Encrypting File System (EFS)
Bitlocker
Windows Defender
IE Protected Mode
Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP)
Bi-directional Firewall
Windows Security Center
User Account Control
Network Access Protection (NAP)
IPSec and IPv6
Native smart card support
Certificate Services
Credential roaming
Security Development Lifecycle (SDL)
Kernel Patch Protection
Kernel-mode Driver Signing
Secure Startup
Windows Service Hardening
Fundamentally Fundamentally Secure PlatformSecure Platform
EnablesEnablesSecure AccessSecure Access
Protects Protects Against Malware Against Malware
Protects DataProtects Data
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Vista Enhancements
User Account Controls Enables a user to have a non-administrator
account and still be productive All users operate a lowest possible privileges Vista has a special account that runs in AAM
(admin approval mode)• Means that the user either supplies administrative
credentials or consents (depending on group policy settings) to perform typical admin functions
– EXAMPLE: install a program
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Vista Enhancements
Vista Firewall – Improved! (Yeah!!) The Windows Vista firewall can block
outgoing traffic Windows XP only blocked incoming traffic Provides the ability to stop peer-to-peer
connections Provides the ability to stop instant messaging
programs
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Windows Vista Firewall
Both inbound and outbound
Authentication and authorization aware
Outbound application-aware filtering is now possible Includes IPSec management Policy-based administration Great for Peer-to-Peer
control
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth – cont.
Layer 2 – Blocking Attacks at the Host Personal Anti-Malware
• Spybot Search and Destroy, Symantec, Microsoft Windows Defender, Sunbelt Counter-Spy, Tenebril SpyCatcher
• Pattern matching for known signatures
Network Access Control – Host Based• Clients of NAC’s the verify configuration and patch level.• Can enforce network policy, quarantine computers that do
not comply with the policy– Bradford Networks, Cisco Clean access, ISS products
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SpyBot Normal
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SpyBot - Immunize
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SpyBot - Advanced
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SpyBot - Tools
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SpyBot - Tools
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth – cont.
Layer 3 – Eliminating Security Vulnerabilities Vulnerability Management and Testing
• Know your systems – are they patched?
Patch Management• Use patch management systems to keep clients current
– WSUS, BigFix
Application Security Testing• Tools from Foundstone and Source Forge can help with
application testing– http://www.foundstone.com/us/resources-free-tools.asp
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Layer 3 – Eliminating Security Vulnerabilities SANS Top Vulnerabilities in Windows Systems
– The SANS (SysAdmin, Audit, Network, Security) Inst.
• From the SANS website www.sans.org1)Windows Services
2)Internet Explorer
3)Windows Libraries
4)MS Office and Outlook Express
5)Windows Configuration Weaknesses
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Layer 3 – Eliminating Security Vulnerabilities Acronyms Galore!
• CVE, CPE, CCE, CVSS, OVAL, SCAP, NVD– Common Vulnerabilities and Exposures (CVE)
– Common Platform Enumeration (CPE)
– Common Configuration Enumeration (CCE)
– Common Vulnerability Scoring System (CVSS)
– Open Vulnerability and Assessment Language (OVAL)
– Security Content Automation Protocol SCAP (s Cap)
– National Vulnerability Database
• SCAP – http://nvd.nist.gov• MITRE – http://cve.mitre.org, http://cpe.mitre.org
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
National Vulnerability DB
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Top Vulnerabilities in Windows Systems From the SANS website www.sans.org
1) Windows Services• Critical Vulnerabilities were discovered in these
services in 2007• Routing and Remote Access Service (MS07-017)• Unix Services (MS07-053)
• What to do?• Disable Service if possible• Scan for Vulnerabilities• PATCH
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Windows Services
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
From the SANS Website www.sans.org2) Internet Explorer
– Multiple vulnerabilities were discovered in 2007 in IE
» Vector Markup Language, RCE (MS07-050)
» Cumulative Security Update for IE (MS07-057, 045, 033)
» Vulnerabilities in GDI, RCE (MS07-017)
– How to mitigate
» On XP, install SP2, Upgrade to IE 7
» On 2000, NT, keep patches current
» Use DropMyRights from MS to lower IE privileges
» Check your Broswer Helper Objects (BHO) for spyware
» Disable Scripting and ActiveX
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Windows IE settings
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
From the SANS Website www.sans.org3) Windows Libraries
• DLL’s can have buffer overflow vulnerabilities• Vulnerabilties discovered in 2007
– Vulnerability in Media file format allows RCE (MS07-068– Vulnerability in Windows messaging allows RCE (MS07-065)– Vulnerability in Direct X allows RCE (MS07-064)– Vulnerability in Windows URI handling allows RCE (MS07-061)– The list continues for 2007 and 2008
• Patch your system and scan for vulnerabitlites• Use least privileges where possible• Filter IP ports 135-139, 445, • Use an IPS and IDS
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Vista Vulnerabilities in 2007 – 2008• It is more secure, but holes still exist:
– Vulnerability in Kernel – Priv. elevation (MS08-025)– Vulnerability in GDI allows RCE (MS08-021)– Vulnerability in DNS could allow spoofing (MS08-020)– Vulnerability in IE 7.0 cumulative SP (MS08-010)– Vulnerability in OLE automation allows RCE (MS08-008)– Vulnerability in WEBDAV allows RCE (MS08-007)– Vulnerability in Media File Format RCE (MS07-068)– Vulnerability in Kernel could allow RCE (MS07-066)
• Patch, patch, patch…
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
MS Office and Outlook • Check your systems with a vulnerability scanner
– MSBSA, Windows Update,
• Mitigate by patching, disable IE feature of opening Office documents
• Configure Outlook with enhanced security• Use IPS and IDS
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
From the SANS Website www.sans.org5) Windows configuration Weaknesses
– Weak passwords on accounts or network shares» LAN Manager hashes are weak and should be replaced
with stronger more current hash techniques» Default configuration for servers and applications can open
machines to password guessing.» MSDE ships with SA account set with a blank password. » Several worms take advantage of this, Voyager, Alpha
Force, SQL Spida use known weak configurations to spread
– Enforce a strong password policy– Prevent Windows from storing the LM hash in AD or the SAM– Disable NULL shares and restrict anonymous access
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Frequent Mistakes made in Windows Security• www.sans.org/reading_room/whitepapers/windows/1016.php
Allowing Null Sessions• http://www.microsoft.com/technet/security/bulletin/ms99-055.mspx• http://www.microsoft.com/technet/security/prodtech/
windows2000/secwin2k/swin2k06.mspx Weak Lockout Policies
• http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspx Weak Account Policies Multiple Trust relationships Multiple Domain admin accounts Audit logs turned off Automatic Updates turned off
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Password Policies
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Common Password Myths 1. Password hashes are safe using NTLMv22. Hr^y*Pwe(1#$ is a great password
1. [email protected] is better
3. 14 Characters is the Optimal length1. Passwords over 14 characters have an invalid hash stored
4. M1ke100 is a good password5. Eventually any password can be cracked6. Passwords should be changed every 60 days7. You should never write down your password8. Passwords can’t include spaces
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Frequent Mistakes made in Windows Security Updates turned off
• SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities.
• SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit.
Need to patch systems and keep them current• Does require a patch management strategy• Will require time• Payoff is less downtime
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
ANI Vulnerability
http://www.infoworld.com/article/07/04/04/HNanispammers_1.html
In April 2007, Chinese and Russian hackers unleashed an exploit for a previously undisclosed vulnerability which attacks Internet Explorer browsers infecting them with a malware via the ANI (Animate Icon) vulnerability.
The vulnerability overflowed an internal buffer in LoadAnih function. This vulnerability was not completely new, it was properly patched by Microsoft but apparently not completely.
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
ANI Vulnerability
Not so amazingly enough, this vulnerability affects Microsoft - Windows Vista, considered by Microsoft until recently as “Most Secure OS ever”Can you spot the similarity yet? If not, here is another interesting point, the hackers installed a Trojan horse whose sole purpose was to gather passwords stored in your computer, as well as look for keywords such as Credit Card, PIN numbers, etc and send them back to what is referred to as Control CentersThese were hacked not on the day of the release of the new exploit, but rather months back, more specifically a few weeks before the last Superbowl
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Where they plant the malicious code
http://securitywatch.eweek.com/exploits_and_attacks/ani_exploit_tied_to_hacked_super_bowl_site.htmlUnlike “regular” sites, these sites are high volume web and have a large percentage of non-technical people coming in. This makes it a prime candidate for spreading the hacker's malware and exploiting the visitors' vulnerabilities – with little threat of them noticing itSome additional web sites that were hacked include asus.com, windrivers.com and others
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
The bad solution
In an attempt to get a hold of the malware, the web sites that contained the malicious malware and the Javascript code were taken down.Instead of fixing the problem (the Javascript code) the web sites the Javascript code pointed to was taken down, this made the problem appeared to have been “solved”, where in fact it wasn't
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Patching Windows What to Patch
• OS• Applications
Types of Patches from MS• Hotfix, Update, Critical Update, Security Patch,
Update Roll-up, Service Pack
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
How to Patch Tools from Microsoft
• Microsoft Update is different than Windows Update– MU updates all MS products not just windows
» Office updates, Server product patches
• WSUS is updated SUS server– New version coming out, WSUS 3.0 in Beta now– www.microsoft.com/wsus– Target client installs, selective client patching, uninstall
options
Defense in Depth cont.
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Testing and Verification Patch systems are not perfect, you need to test after
patches have been applied Tools
• Microsoft Baseline Security Analyzer 2.1 (Beta)– Used for Vista and below
• MBSA 2.0– Used for Windows 2000 + SP3 and later– Office XP and later– Exchange 2000 and later
• MBSA 1.2.1– Office 200– Exchange 5.0 and 5.5
Defense in Depth cont.
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Hardening Windows Hardening techniques
• Limit services– Verify what services are needed – On servers, usually these can be disable
» IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others.
– On workstations disable unless needed» Fax service, Indexing service, messenger, Telnet,
others» Enable firewall
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Hardening Windows Hardening techniques
• Limit protocols– Verify what protocols are needed for your network
» On servers normally TCP/IP is sufficient
» On workstations normally TCP/IP is all that is needed
» Remove IPX/SPX, NetBios,
• Limit Network devices– Bluetooth (disable unless needed)
– Wireless (disable unless needed)
– Firewire (disable unless needed)
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Hardening Windows Firewalls
• Host based firewalls– Server options
» Windows 2003 SP1 firewall option– Workstation options
» XP SP2, ZoneAlarm, Comodo Firewall» 85 listed on Download.com
– Vista» Much better default settings in Vista
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Layer 4 – Safely supporting authorized Users ID and Access Management
• Verify that the right people are allowed to use a system• Two factor authentication
– Pass phrase and token
• Three factor authentication– Pass phrase, token, biometric
File Encryption• Encrypt your sensitive data and your backups!• USB drive encryption• Backup encryption• BitLocker in Vista – the start of HD encryption
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Defense in Depth cont.
Layer 4 – Safely supporting authorized Users Secure Communication
• SSL, encrypted tunnels, VPN’s– SSL firewalls are hot / popular
» Easy for the end user to use
PKI – Public Key Infrastructure• Digital certificates, public key cryptography, Certificate
Authorities• Big topic, lots of details here but adds a significant layer of
security for the end users
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
EDUCAUSE Security Task Force Effective Practices
The EP group is a sub-group of the Security Task Force Meets bi-weekly on Fridays via phone conference Active Security staff in the Higher Ed space Develops Effective Practices drawn from real world
staff Website link is:
• http://www.educause.edu/security• https://wiki.internet2.edu/confluence/display/secguide/Effectiv
e+IT+Security+Practices+and+Solutions+Guide
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
EDUCAUSE Security Task Force Effective Practices
Current List of EP’s Access Control Systems and Methodology (IT Security Guide) Applications and System Development (IT Security Guide) Awareness and Training (IT Security Guide) Business Continuity and Disaster Recovery (IT Security Guide) Compliance and Legal Issues (IT Security Guide) Confidential Data Handling Blueprint (IT Security Guide) Data Incident Notification Toolkit (IT Security Guide) Incident Handling and Forensics (IT Security Guide) Operations Security (IT Security Guide) Personnel Security (IT Security Guide) Physical and Environmental Security (IT Security Guide) Responsible Use and Ethics (IT Security Guide) Risk Management (IT Security Guide) Security Architecture and Models (IT Security Guide) Security Policies and Procedures (IT Security Guide) Telecommunications and Network Security (IT Security Guide)
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
EDUCAUSE Security Task Force Effective Practices
My top picks from the list: Confidential Data Handling Blueprint Awareness and Training Data Incident Notification Toolkit Incident Handling and Forensics Risk Management Security Policies and Procedures
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
IE –protected mode/anti-phishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection (NAP)
Threat and Vulnerability
Mitigation
Fundamentals
Identify and Access
ControlUser Account Control
Plug and Play Smartcards
Simplified Logon architecture
Bitlocker
RMS Client
What about Vista?Vista Security Enhancements
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Tools that Work!
Tools and Techniques Open Source Tools for Networks testing
• MetaSploit– Framework for testing exploits
• Nessus– Scanning tool to check for vulnerabilities
• Ethereal– Packet sniffer
Microsoft Tools for Desktop Security• MBSA 2.0.1
– MBSA 2.1 in Beta (Vista version)• ISS Lockdown Tool• Microsoft Defender (AV / Malware detector)• http://www.microsoft.com/technet/security/default.mspx• http://www.microsoft.com/protect/default.mspx
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Tools that Work!
Tools and Techniques Other Tools for Desktop Security
• Comodo Firewall (better than Zone Alarm)• Spybot Tea Timer
– No cost IPS (though you can donate)
• Secunia PSI (Personal Software Inspector)– Beta software that checks for current versions of
software installed on your PC– https://psi.secunia.com/
• MS Defender– MS anti-spyware / malware tool (Free)
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Tools that Work!
Tools and Techniques Rootkit revealers
• VICE – freeware– http://www.rootkit.com/vault/fuzen_op/vice.zip
• Patchfinder - freeware– http://www.invisiblethings.org
• Rootkit Revealer - freeware– http://www.sysinternals.com/Files/RootkitRevealer.zip
• Blacklight – commercial from F-secure– http://www.f-secure.com/
• Tripwire – file based integrity checking– http://www.tripwire.com– Not as useful anymore due to memory based rootkits
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Demos
Tools and Techniques Available Tools
• Spybot Tea Timer– DEMO
• Comodo Firewall– DEMO
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Windows Security Resources
Resources• www.educause.edu/security• www.microsoft.com/technet/security• www.sans.org/reading_room/whitepapers/windows• www.securityfriday.com• www.cert.org• www.hackingexposed• www.incidents.org• http://www.foundstone.com/us/resources-free-tools.asp
May 6th, 2008 EDUCAUSE Security Conf 2008 - John Bruggeman
Wrap up and Q & A
Fundamental security practice? DEFENSE in DEPTH
• 4 Walls or layers of security Wall 1 – Block attacks at the Network (IPS and IDS) Wall 2 – Block attacks at the Host (IPS and IDS)
• Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20) Wall 4 - Safely supporting Authorized Users Don’t re-invent the wheel, ask questions, look online
Questions? Comments? Tips? My Email: [email protected] 513-487-3269 http://www.huc.edu