SEC313 SEC313 Securing Enterprise Platforms Securing Enterprise Platforms And Perimeters And Perimeters AKA – Building a Perimeter Platform and AKA – Building a Perimeter Platform and Infrastructure (with security) Infrastructure (with security) Ben Smith Ben Smith Senior Security Strategist Senior Security Strategist Microsoft Corporation Microsoft Corporation
41
Embed
SEC313 Securing Enterprise Platforms And Perimeters AKA – Building a Perimeter Platform and Infrastructure (with security) Ben Smith Senior Security Strategist.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SEC313SEC313Securing Enterprise Platforms And Securing Enterprise Platforms And PerimetersPerimetersAKA – Building a Perimeter Platform and AKA – Building a Perimeter Platform and Infrastructure (with security)Infrastructure (with security)
This year—This year—Application-level security focusApplication-level security focus
Goal: modify information in databaseGoal: modify information in database
82,500 attempted attacks over 2 ½ weeks82,500 attempted attacks over 2 ½ weeks
Microsoft entry Microsoft entry wasn’t compromisedwasn’t compromisedLesson learned: Reasonably skilled Lesson learned: Reasonably skilled administrators administrators and and developers can build developers can build Windows environments that are secure and Windows environments that are secure and resilient against attackresilient against attack
10 Basic Rules of Perimeter 10 Basic Rules of Perimeter
SecuritySecurity 1.1. Minimize the attack surfaceMinimize the attack surface
2.2. Least Privilege (deny by default)Least Privilege (deny by default)
3.3. Defense-in-DepthDefense-in-Depth
4.4. CompartmentalizationCompartmentalization
5.5. Carry a big stick (You have to tell people NO!)Carry a big stick (You have to tell people NO!)
6.6. Understand what your perimeter really is!Understand what your perimeter really is!
7.7. Know you cannot defend against other Know you cannot defend against other Administrators or poor physical securityAdministrators or poor physical security
8.8. Assess your security (the attacker will be!)Assess your security (the attacker will be!)
9.9. If you are not up-to-date, you are not secureIf you are not up-to-date, you are not secure
10.10. Avoid AssumptionsAvoid Assumptions
Application SecurityApplication Security
Ben’s rule of perimeter application security:
If the application has security holes, the best you can hope for is to slow the hackers down or limit the damage the attacker can do
You must work with your developers!You must work with your developers!You must work with your developers!You must work with your developers!
For every application in/on the For every application in/on the perimeter you must answer:perimeter you must answer:
1. What data is being access or stored locally2. What data is being transmitted3. Define how the application communicates to
computers4. How is authentication handled5. What security measures the application is
providing6. What services the application depends on7. How the application will be managed8. Who will be managing the application9. How can operations be audited10. What the potential threats and vulnerabilities of the
ISA Server ISA Server with inbound with inbound VPNVPN
Active DirectoryActive Directory
LAN ClientsLAN Clients
Traffic Allowed in:Traffic Allowed in: Web - TCP 80/443 via web Web - TCP 80/443 via web publishingpublishing DNS - TCP/UDP 53DNS - TCP/UDP 53 PPTP - IP 47, UDP 1723 to the ISA PPTP - IP 47, UDP 1723 to the ISA ServerServer
People-level complexityMore administratorsDistributed data to secureMore patch management issues
Host-level complexityMore systems and application to monitorAuthentication issues to manageContent propagation and management
2 Ways to Address The Complexity2 Ways to Address The Complexity
Design the scalability of security from the startDesign the scalability of security from the startFollow best practices for environments more complexity and with Follow best practices for environments more complexity and with higher security requirementshigher security requirements
Create a security budget for expansionCreate a security budget for expansion
Assess the security of your network from the outsideAssess the security of your network from the outside
Think about compartmentalization!Think about compartmentalization!
Build reusable security components Build reusable security components on the hostson the hostsBaseline security policyBaseline security policy
Security TemplatesSecurity Templates
Server specific security policyServer specific security policySecurity Templates, SRPs, Security ToolsSecurity Templates, SRPs, Security Tools
Host-based IP securityHost-based IP securityTCP/IP Security, IPSec policiesTCP/IP Security, IPSec policies
Baseline SecurityStarts and ends with credential managementStarts and ends with credential management
Tips:Tips:1.1. Use multi-factor authentication when possibleUse multi-factor authentication when possible
2.2. Educate users and administrators on creating passwords Educate users and administrators on creating passwords
It is often easier for users to remember 20 to 30 than 8 It is often easier for users to remember 20 to 30 than 8 character passwordscharacter passwords
4.4. Don’t reuse passwords or share accountsDon’t reuse passwords or share accounts
5.5. Avoid account lockout policies (aka the “increase your support Avoid account lockout policies (aka the “increase your support costs feature”)costs feature”)
There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!
There is no patch for weak passwords or weakly There is no patch for weak passwords or weakly managed passwords!managed passwords!
EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0
EnableICMPRedirectEnableICMPRedirect Protects against bouncing ICMP packets to 3rd partiesProtects against bouncing ICMP packets to 3rd parties Set to 0Set to 0
DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2
DisableIPSourceRoutingDisableIPSourceRouting Prevents attacker from dictating the path of IP-based packetsPrevents attacker from dictating the path of IP-based packets Set to 2Set to 2
SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP
SynAttackProtectSynAttackProtect Aggressively times out TCP connectionsAggressively times out TCP connections Set to 1 in Windows Server 2003Set to 1 in Windows Server 2003 Set to 2 in Windows 2000 and Windows XPSet to 2 in Windows 2000 and Windows XP
Lessons learned:Lessons learned:
Denial of Service attack Denial of Service attack on a major web site on a major web site
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Ask The ExpertsGet Your Questions Answered
Talk with experts about how technology can enable your organization
I will be at the Security booth tomorrow:15:00 to 18:00
Or earlier/later by request
Lattes are happily accepted ;)
Community Resources
Community ResourcesCommunity Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsNewsgroupsConverse online with Microsoft Newsgroups, including WorldwideConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsUser GroupsMeet and learn with your peersMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
MSA Firewall Router and Switch Confighttp://www.microsoft.com/solutions/msa/default.asp
ISA Feature Packhttp://www.microsoft.com/isaserver/featurepack1/overview/default.aspMicrosoft Solution for Securityhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp (2000)http://go.microsoft.com/fwlink/?LinkId=14845 (2003)