SEC403 Network Threat Modeling Jesper M. Johansson, Ph.D. Security Program Manager Security Business Unit Microsoft Corporation jesperjo@microsoft.com.

SEC403Network Threat Modeling

Jesper M. Johansson, Ph.D.

Security Program Manager

Security Business Unit

Microsoft Corporation

jesperjo@microsoft.com

Threat Modeling

Understanding and communicating the threats to your environment

Commonly used in application design

Writing Secure Code 2nd Ed.

Can also be applied to networks

Network Security Hardening

Default OS configuration is acceptable for a trusted network

Windows 2000 is very open by default

Windows Server 2003 is much more secureStill room for improvement

Application hardening is criticalSame rules apply as for software

Lemma: You cannot design an optimal security Lemma: You cannot design an optimal security configuration without a thorough understanding of configuration without a thorough understanding of the usage pattern of a systemthe usage pattern of a system

Example 1: Windows 2000

IIS is turned on by defaultAll the samples are installed

Web printing is turned on

Anonymous users can connectEnumerate all shares (including “hidden”)

Enumerate all users

List administrators

Obtain auto admin logon credentials

Example 2: SQL Server 2000

Service account typically is Local SystemTechnically not correct, but if you specify anything else, it gets SeTCB

Public has execute permission on 1,000+ stored procedures and objects

Listens on several different transports

Tells anyone what databases are available

Example 3: Open Hack IV

Four systemsWeb Server

SQL Server

Terminal Server

VPN Server

Well-understood environment

Limited Scope

Test-bed for new techniques

InternetInternet

Web

SQLTS

80

3389

3389GRE1723

3389

3389

1433

Virtual Net

Virtual Net

VPN

Open Hack IV Hardening

Windows 2000 Service Pack 3All patches

IPSec restricted all trafficOnly known traffic allowed

No general traffic

Certificate-based (no domain PKI)

Unable to run SQL Enterprise Manager and RRAS Manager

Open Hack IV Hardening

SQL Server hardeningSQL 2000 Service Pack 2

Custom, unprivileged service account

Restrict access to sprocs and XPs

Anonymous web user accountDuplicated on SQL Server

Account has execute on sprocs

No access to the database

Lessons Learned

Analysis of target environment is absolutely essential

Must include analysis of protocols

Understanding what is unnecessary is hard

Baseline and deltas works well

Group policy is a bonusEasy configuration of baseline/deltas

Includes IPSec policies

Careful smoke-testing needed

Applying the lessons - DSR

DocumentModel applications and servicesEnvironment dependent

SegregateApplicationsSecurity requirements

RestrictDisable servicesClose ports

Use IPSec or RRAS filtersUse different passwords

Document

Purpose is to communicate what the environment looks like

Use well understood modeling techniquesModified Data flow diagrams

Threat trees

Verbose documentation

Looking at Systems with DFDs

Graphic representation showing communication between objects

Describes activities that process data

Shows how data flows through a system

Shows logical sequence of associations and activities

Sometimes known as a process model

We are appropriating and modifying this method

Modified Data Flow Diagram Conventions

System orApplication

External Entity

DuplicatedExternal Entity

DuplicatedExternal Entity

Data Flow

Modeling a NetworkInternet

Domain Controller

Client

Corporate Domain Controller

Corporate Clients

Client

Web Farm 2 Web Farm 1 SQL ClusterVPN Server

SQL Cluster

Corp Servers

Internet

Domain Controller

Client

Corporate Domain Controller

Corporate Clients

Client

Web Farm 2 Web Farm 1 SQL ClusterVPN Server

SQL Cluster

Corp Servers

Superimposing the DFD

Segregate

Segregate systems by application and security requirements

Should you trust systems that are not part of your application?

Which systems do they trust?

What are their security requirements?

Less sensitive systems may depend on more sensitive systems

More sensitive systems MUST NEVER depend on less sensitive systems

Documenting Segments

Domain Controller

Corp Servers Corp ClientsCorp DCs

Internet Client

SQL 1Web Farm 1

SQL 2

Web Farm 2

VPN

Domain Controller

1433

445

445

445

80, 443

443

14333389

3389

3389

Term Serv

Term Serv3389

3389

1723

1433

445445

445

445

445

445

3389

Trust Boundaries

Systems and entities you trust are included within your trust boundary

Should your trust boundary include databases?It depends

Who writes to them?

Do you trust those systems?

If you trust the systems that write to the database you may still not want to trust the database

Is it secure?

Trust Boundaries

Internet Client

SQL 1Web Farm 1

Domain Controller

1433

445

80, 443

Trust Boundary

Staging Server

445

1433

Document the threatsDocumenting threats to your systems is difficult

What kinds of things can go wrong?

How can an attacker take advantage of your network?

You must think like an attacker What are the juicy bits of data?

What do they want to do with your environment?

Evaluate chainsIf item A occurs then item B can occur…

Fault Trees

Demonstrate logical paths through a system

Used to highlight faults in a system

Points out relationships between faults

Allow us to estimate the interactions between faults

Goal: Root the SQL ServerFirewall

Exploit blankSA password

DirectoryTraversal on

IIS

MUP BO onSQL

DLL LoadingTrojan

Vroots withExecute

Dump LSASecrets

Backup Accountis Domain Admin

Exploit BlankSA Password

Connect to SQL

Break here by restricting

outgoing traffic from web servers

Break here by limiting trust

environment for service accounts

Break here by patching

Break here with IIS and SQL lockdown

Restrict

Policies allow nothing but…Disable unnecessary services

Remove users

Restrict privileges

Turn on security tweaks

Remove permissions

Set very strong passwords

Restrict communicationsIPSec

RRAS filters

Conclusion

Hardening networks requires understanding the environmentOptimal hardening requires deep understandingThere is a fundamental tradeoff between security and usabilityThree-phase approach to network hardening

DocumentSegregateRestrict

Ask The ExpertsGet Your Questions Answered

Jesper will be at the Ask The Experts area from 12:30 to 14:30 on July 2

Suggested Reading And Resources

Visit the Microsoft Press Kiosk today to receive Visit the Microsoft Press Kiosk today to receive 40%40% off books off books purchased from Amazon.compurchased from Amazon.com

Microsoft Press books are available at the TechEd Bookstore Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Halland also at the Ask the Experts area in the Expo Hall

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable PricePrice

TodayToday $49.99$49.99Microsoft Windows 2000 Security Microsoft Windows 2000 Security Technical ReferenceTechnical Reference

Writing Secure Code, 2/eWriting Secure Code, 2/eTodayToday $49.99$49.99

Other ResourcesTools:Tools:Registry Monitor and File MonitorRegistry Monitor and File Monitor

http://www.sysinternals.comhttp://www.sysinternals.com

For technical information:For technical information:

Security information on Microsoft ProdutsSecurity information on Microsoft Produtshttp://www.microsoft.com/technet/security

Windows Server 2003Windows Server 2003http://www.microsoft.com/windowsserver2003/

Threats and Countermeasures in Windows Threats and Countermeasures in Windows Server 2003 and Windows XPServer 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15160

MBSAMBSAhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp

Open Hack IV HardeningOpen Hack IV Hardeninghttp://msdn.microsoft.com/library/en-us/http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.aspdnnetsec/html/openhack.asp

For training and For training and certification questions:certification questions:Microsoft Training and CertificationMicrosoft Training and Certificationhttp://www.microsoft.com/training

For Security Guidance And TrainingFor Security Guidance And Training

Windows 2000 Security Hardening GuideWindows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp prodtech/Windows/Win2kHG.asp

Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 http://go.microsoft.com/fwlink/?LinkId=14846

Windows XP Security GuideWindows XP Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14839http://go.microsoft.com/fwlink/?LinkId=14839

Threats and Countermeasures: Security Threats and Countermeasures: Security Settings in Windows Server 2003 and Settings in Windows Server 2003 and Windows XPWindows XPhttp://go.microsoft.com/fwlink/?LinkId=15159http://go.microsoft.com/fwlink/?LinkId=15159

Backup Slides

Process

Common DFD Symbols

A task or set of tasks that must be performed on dataOnly the process is labeled, not the people or systems that perform themProcesses transform data

To create a new output To create new knowledge about the inputTo sort To distribute to different processes

Try to keep the number of processes to less than 10 on each diagramLabel process with an imperative verb and noun

Data store

Common DFD Symbols

Repository for dataStores are passive objectsCould be logical

RegistryFile SystemActive Directory

Or physicalFile cabinet

A data flow to a store means that data is being recordedA data flow from a store means that data is being readLabel with a descriptive noun

Data Flow

Common DFD Symbols

Data being conveyed

Indicate direction of flow with an arrow

Each data flow is one logical set of data, think of it as some struct

Label with a descriptive nounAuthentication data

ASP source file

Data Flow

Common DFD Symbols

Data being conveyed

Indicate direction of flow with an arrow

Each data flow is one logical set of data, think of it as some struct

Label with a descriptive nounAuthentication data

ASP source file

Hierarchical Levels

Context Diagram - A DFD showing the data flows between the target system and external entities.

Describes the boundaries of the system

The target system is represented by a single process bubble.

Level 0 - A DFD showing the major sub-systems and the

data flows between them and to and from the outside world.

Level n - A DFD showing the components of one of the processes in the level n-1 diagram

A web farm can be exploded in a level 1

Web ServerBrowser Administrator

Request for apage

AuthenticationRequest

AuthenticationData

Page contents

Configurationdata

Logs and alerts

A simple web server context diagram

More Detail: Level 0 DFD

Browser

1.0 PageRequest

4.0Authentication

Request

5.0Authentication

Data

9.0 Pagecontents

13.0Configuration

changes

18.0 Logsand alerts

1.0Authentication

Module

Webroot

2.0 RequestProcessor

AuthenticationDatabase

6.0 UserInformation

3.0Authentication

query

7.0Authentication

Result

3.0Configuration

manager

8.0 Pagedata

ConfigurationData

16.0 LogRequest

12.0Configuration

Data

14.0Configuration

Data11.0Configuration

Data

2.0Configuration

Data

4.0LoggingEngine

Logs

Administrator

15.0 Logconfiguration

10.0 Log data17.0 Log Data

4.0Authentication

Request

5.0Authentication

Data

2.0 RequestProcessor

AuthenticationDatabase

6.0 UserInformation

3.1Authentication

query

7.0Authentication

Result

1.1 AuthProcessor

1.2 AuthenticationProtocol

Negotiation

4.1Authentication

Capabilities

4.2 AuthProtocolSelection

1.3 Sub-authModule

3.2 ProtocolNegotiation

Request

5.1 UserAuth Data

5.2 User AuthData

6.1 Auth Result

Browser

Even More Detail: Level 1 DFD

Basic Rules

External EntitiesData flow between external entities is outside the scope of the diagramExternal entities can only talk to processes

Would you let outsiders access your data stores directly?

Data flowsFlows are unidirectionalFlows can fork, if the same data is sent to two different processes or stores.A fork in a data flow means that exactly the same data goes to two different processes or data stores.A join in a data flow means that exactly the same data comes from two different processes or data storesData does not circle back to the originating process

Basic Rules

ProcessesA process without input is a miracle, making data from nothingA process without output is a black hole

Data StoresData stores are passive, hence they cannot move dataYou do not ask data stores for information, you go get itExternal entities should never access data stores directlySummary: A data store should be connected to a process

Common Problems

Including unnecessary processes and external entities

Missing necessary processes

Combining activities into a single process

Not labeling all data flows

Processes that do not process

Multi-directional data flows

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.