The Ten Immutable Laws of Microsoft SharePoint Security

Rick TaylorSenior Technical ArchitectPERFICIENT

OSP201

Who Am I?

Who am I???

The Guardian of Lost SoulsThe PowerfulThe Pleasurable

The IndestructibleRick Taylor

Slick Rick – if you’re nasty

Agenda

The OSI ModelAttack SurfacesBest Practices at securing each layer

What’s the point?

Security is more than just AuthN/AuthZSecurity is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )In Security, the WHY is more important than the HOW

A Word about Security• Security and complexity are often inversely proportional. • Security and usability are often inversely proportional. • Security is an investment, not an expense. • "Good enough" security now, is better than "perfect" security ...never• There is no such thing as "complete security" in a usable system. • A false sense of security is worse than a true sense of insecurity. • Your absolute security is only as strong as your weakest link. • Concentrate on known, probable threats. • Security is directly related to the education and ethics of your users. • Security is not a static end state, it is an interactive process. • There are few forces in the universe stronger than the desire of an individual to get his or

her job accomplished. • You only get to pick two: fast, secure, cheap.• In the absence of other factors, always use the most secure options available. • Security ultimately relies - and fails - on the degree to which you are thorough. People don't

like to be thorough. It gets in the way of being done.

What is the OSI Model?

Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

What is Layer 1

Defines electrical and physical specifications Defines relationship between a device and its medium (Copper,

optical, radio, etc)

Layer 1 Attack Surfaces

The mediumCableAir

The hostVia KeyboardVia conduit (RDP host)

Securing Layer 1 - continued

LocksCages

LAW #2 - If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

What is Layer 2?

SublayersMedia Access Control (MAC)Logical Link Control (LLC)Application Protocol Convergence (APC)

ProtocolsARPPPP

How data is transferred from node to node across a network.

Layer 2 Attack Surfaces

Wireless Access PointsWardriving

HubsBroadcasting (rare)

Switches (ARP)Man-in-the-Middle Attacks

Securing Layer 2

Wireless Networks Sniffers ARP flooding

Securing Layer 2 - continued

Strong passwords on wireless routersStrong encryption on wireless networksUse ARP Defense software/hardwareUse DHCP Snooping

Track the physical location of hosts.Ensure that hosts only use the IP addresses assigned to them.Ensure that only authorized DHCP servers are accessible.

Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone

What is Layer 3?

Performs network routing functions3 sublayers:

Subnetwork AccessSubnetwork Dependent ConvergenceSubnetwork Independent Convergence

ProtocolsIP

ServicesICMP

Layer 3 Attack Surfaces

Unused Open PortsCommonly Open PortsPacket inspection

Enumerating Shares

Enabling IPSec via GPO

Benefits of IPsec

IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured networkIPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

• IPsec has two goals: to protect IP packets and to defend against network attacks

• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other

• IPsec secures network traffic by using encryption and data signing

• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

Securing Layer 3

Prevent ICMP abuseDDoSAdd “no ip directed-broadcast” to the router (Smurf bounce)Drop (disable) ICMP - *maybe* to prevent malware from “Phoning Home”

Use IPSecUse Network Policy Processing

Network Policy Processing

Are there policies to process?

START

Does connection attempt match policy conditions?

Yes

Reject connection attempt

Is the remote access permission for the user account set to Deny Access?

Is the remote access permission for the user account set to Allow Access?

Yes

Yes

NoGo to next policy

No

Yes

Is the remote access permission on the policy set to Deny remote access permission?

Does the connection attempt match the user object and profile settings?

No

Yes

Accept connection attempt

Reject connection attempt

No

Yes

No

No

Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore

What is Layer 4?

Responsible for reliable communication between endpointsProtocols

Connection-OrientedTCP

ConnectionlessUDP

Layer 4 Attack Surfaces

The operating system (OS Fingerprinting)

Securing Layer 4

Use routers between network segmentsUse private IP addresses on internal networkUse SSLPEN test your networkEnable “Fingerprint Scrubbing” on routers

Securing Layer 4 - continued

Alter the OS kernelChange the default IP time-to-liveChange the initial TCP window size

Modify network-related registry entries

Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more

What is Layer 5?

Responsible for connections between hostsEstablish, Manage, TerminationCheckpointing

ProtocolsRemote Procedure Calls (RPC)

Layer 5 Attack Surfaces

Session hijackingDNS PoisoningDDoS

Quick Test

Step 1 Browse to http://bad.ketil.froyn.name/Step 2 Browse to http://www.example.comIf you see a link to RFC 2606 you are safe.If you see a page saying POISONED…update your resume…jk

Securing Layer 5

Choose your authentication protocols wiselyLess secure protocols maybe be tunneled through more secure protocols

Configure DNS correctlySpecify IP address of authorized DNS servers

What is Layer 6?

Presentation = TranslationResponsible for representing data in different formatsResponsible for serialization of objects to and from XML

Layer 6 Attack Surfaces

NetBIOSSMBIPC$

Securing Layer 6

Lock down Null Session capabilityFor Clients:

HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous0 – Default setting.1 – Null session can not be used to enumerate shares or user names

For ServersHKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous0 – Default setting. Null sessions can be used to enumerate shares1 – Null sessions can not be used to enumerate shares

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM0 – Null sessions can enumerate user names1 – Default setting. Null sessions can not enumerate user names

Law #6: Absolute anonymity isn't practical, in real life or on the Web

What is Layer 7?

Top layer of OSI modelInterfaces directly with applications and their processes.Most of us focus primarily (if not exclusively) at this layer

Layer 7 Attack Surfaces

DNSFTPSMTPTelnetSQLEtc, etc, etc

Securing Layer 7

Use GPO policies to block software installationUse GPO policies to prevent misuse of accountsUse NAP to enforce access policiesUse IPSec to secure host to host and host to server communicationsFollow Best Practices for securing service accounts

Law #7: Weak passwords trump strong security

Law #8: A computer is only as secure as the administrator is trustworthy

Service AccountsFarmSetupApplication PoolSQL

SharePoint Service Accounts

SQL Server Service AccountSharePoint Setup User AccountSharePoint Farm Service Account

SharePoint Service Accounts

Fewest is bestLeast Privilege is bestSome rights will change (and not all are “Service” accounts)

Law #9: Your infrastructure is as strong as your weakest link

Law #10: Technology is not a panacea

10 Immutable Laws of Security

Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyoneLaw #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the WebLaw #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest linkLaw #10: Technology is not a panacea

Thank you for attending!

Please be sure to fill out your session evaluation!

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile