SEC403 Network Threat Modeling Jesper M. Johansson, Ph.D. Security Program Manager Security Business Unit Microsoft Corporation [email protected]
Jan 17, 2016
SEC403Network Threat Modeling
Jesper M. Johansson, Ph.D.
Security Program Manager
Security Business Unit
Microsoft Corporation
Threat Modeling
Understanding and communicating the threats to your environment
Commonly used in application design
Writing Secure Code 2nd Ed.
Can also be applied to networks
Network Security Hardening
Default OS configuration is acceptable for a trusted network
Windows 2000 is very open by default
Windows Server 2003 is much more secureStill room for improvement
Application hardening is criticalSame rules apply as for software
Lemma: You cannot design an optimal security Lemma: You cannot design an optimal security configuration without a thorough understanding of configuration without a thorough understanding of the usage pattern of a systemthe usage pattern of a system
Example 1: Windows 2000
IIS is turned on by defaultAll the samples are installed
Web printing is turned on
Anonymous users can connectEnumerate all shares (including “hidden”)
Enumerate all users
List administrators
Obtain auto admin logon credentials
Example 2: SQL Server 2000
Service account typically is Local SystemTechnically not correct, but if you specify anything else, it gets SeTCB
Public has execute permission on 1,000+ stored procedures and objects
Listens on several different transports
Tells anyone what databases are available
Example 3: Open Hack IV
Four systemsWeb Server
SQL Server
Terminal Server
VPN Server
Well-understood environment
Limited Scope
Test-bed for new techniques
InternetInternet
Web
SQLTS
80
3389
3389GRE1723
3389
3389
1433
Virtual Net
Virtual Net
VPN
Open Hack IV Hardening
Windows 2000 Service Pack 3All patches
IPSec restricted all trafficOnly known traffic allowed
No general traffic
Certificate-based (no domain PKI)
Unable to run SQL Enterprise Manager and RRAS Manager
Open Hack IV Hardening
SQL Server hardeningSQL 2000 Service Pack 2
Custom, unprivileged service account
Restrict access to sprocs and XPs
Anonymous web user accountDuplicated on SQL Server
Account has execute on sprocs
No access to the database
Lessons Learned
Analysis of target environment is absolutely essential
Must include analysis of protocols
Understanding what is unnecessary is hard
Baseline and deltas works well
Group policy is a bonusEasy configuration of baseline/deltas
Includes IPSec policies
Careful smoke-testing needed
Applying the lessons - DSR
DocumentModel applications and servicesEnvironment dependent
SegregateApplicationsSecurity requirements
RestrictDisable servicesClose ports
Use IPSec or RRAS filtersUse different passwords
Document
Purpose is to communicate what the environment looks like
Use well understood modeling techniquesModified Data flow diagrams
Threat trees
Verbose documentation
Looking at Systems with DFDs
Graphic representation showing communication between objects
Describes activities that process data
Shows how data flows through a system
Shows logical sequence of associations and activities
Sometimes known as a process model
We are appropriating and modifying this method
Modified Data Flow Diagram Conventions
System orApplication
External Entity
DuplicatedExternal Entity
DuplicatedExternal Entity
Data Flow
Modeling a NetworkInternet
Domain Controller
Client
Corporate Domain Controller
Corporate Clients
Client
Web Farm 2 Web Farm 1 SQL ClusterVPN Server
SQL Cluster
Corp Servers
Internet
Domain Controller
Client
Corporate Domain Controller
Corporate Clients
Client
Web Farm 2 Web Farm 1 SQL ClusterVPN Server
SQL Cluster
Corp Servers
Superimposing the DFD
Segregate
Segregate systems by application and security requirements
Should you trust systems that are not part of your application?
Which systems do they trust?
What are their security requirements?
Less sensitive systems may depend on more sensitive systems
More sensitive systems MUST NEVER depend on less sensitive systems
Documenting Segments
Domain Controller
Corp Servers Corp ClientsCorp DCs
Internet Client
SQL 1Web Farm 1
SQL 2
Web Farm 2
VPN
Domain Controller
1433
445
445
445
80, 443
443
14333389
3389
3389
Term Serv
Term Serv3389
3389
1723
1433
445445
445
445
445
445
3389
Trust Boundaries
Systems and entities you trust are included within your trust boundary
Should your trust boundary include databases?It depends
Who writes to them?
Do you trust those systems?
If you trust the systems that write to the database you may still not want to trust the database
Is it secure?
Trust Boundaries
Internet Client
SQL 1Web Farm 1
Domain Controller
1433
445
80, 443
Trust Boundary
Staging Server
445
1433
Document the threatsDocumenting threats to your systems is difficult
What kinds of things can go wrong?
How can an attacker take advantage of your network?
You must think like an attacker What are the juicy bits of data?
What do they want to do with your environment?
Evaluate chainsIf item A occurs then item B can occur…
Fault Trees
Demonstrate logical paths through a system
Used to highlight faults in a system
Points out relationships between faults
Allow us to estimate the interactions between faults
Goal: Root the SQL ServerFirewall
Exploit blankSA password
DirectoryTraversal on
IIS
MUP BO onSQL
DLL LoadingTrojan
Vroots withExecute
Dump LSASecrets
Backup Accountis Domain Admin
Exploit BlankSA Password
Connect to SQL
Break here by restricting
outgoing traffic from web servers
Break here by limiting trust
environment for service accounts
Break here by patching
Break here with IIS and SQL lockdown
Restrict
Policies allow nothing but…Disable unnecessary services
Remove users
Restrict privileges
Turn on security tweaks
Remove permissions
Set very strong passwords
Restrict communicationsIPSec
RRAS filters
Conclusion
Hardening networks requires understanding the environmentOptimal hardening requires deep understandingThere is a fundamental tradeoff between security and usabilityThree-phase approach to network hardening
DocumentSegregateRestrict
Ask The ExpertsGet Your Questions Answered
Jesper will be at the Ask The Experts area from 12:30 to 14:30 on July 2
Suggested Reading And Resources
Visit the Microsoft Press Kiosk today to receive Visit the Microsoft Press Kiosk today to receive 40%40% off books off books purchased from Amazon.compurchased from Amazon.com
Microsoft Press books are available at the TechEd Bookstore Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Halland also at the Ask the Experts area in the Expo Hall
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable PricePrice
TodayToday $49.99$49.99Microsoft Windows 2000 Security Microsoft Windows 2000 Security Technical ReferenceTechnical Reference
Writing Secure Code, 2/eWriting Secure Code, 2/eTodayToday $49.99$49.99
Other ResourcesTools:Tools:Registry Monitor and File MonitorRegistry Monitor and File Monitor
http://www.sysinternals.comhttp://www.sysinternals.com
For technical information:For technical information:
Security information on Microsoft ProdutsSecurity information on Microsoft Produtshttp://www.microsoft.com/technet/security
Windows Server 2003Windows Server 2003http://www.microsoft.com/windowsserver2003/
Threats and Countermeasures in Windows Threats and Countermeasures in Windows Server 2003 and Windows XPServer 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15160
MBSAMBSAhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp
Open Hack IV HardeningOpen Hack IV Hardeninghttp://msdn.microsoft.com/library/en-us/http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.aspdnnetsec/html/openhack.asp
For training and For training and certification questions:certification questions:Microsoft Training and CertificationMicrosoft Training and Certificationhttp://www.microsoft.com/training
For Security Guidance And TrainingFor Security Guidance And Training
Windows 2000 Security Hardening GuideWindows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp prodtech/Windows/Win2kHG.asp
Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 http://go.microsoft.com/fwlink/?LinkId=14846
Windows XP Security GuideWindows XP Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14839http://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Threats and Countermeasures: Security Settings in Windows Server 2003 and Settings in Windows Server 2003 and Windows XPWindows XPhttp://go.microsoft.com/fwlink/?LinkId=15159http://go.microsoft.com/fwlink/?LinkId=15159
Backup Slides
Process
Common DFD Symbols
A task or set of tasks that must be performed on dataOnly the process is labeled, not the people or systems that perform themProcesses transform data
To create a new output To create new knowledge about the inputTo sort To distribute to different processes
Try to keep the number of processes to less than 10 on each diagramLabel process with an imperative verb and noun
Data store
Common DFD Symbols
Repository for dataStores are passive objectsCould be logical
RegistryFile SystemActive Directory
Or physicalFile cabinet
A data flow to a store means that data is being recordedA data flow from a store means that data is being readLabel with a descriptive noun
Data Flow
Common DFD Symbols
Data being conveyed
Indicate direction of flow with an arrow
Each data flow is one logical set of data, think of it as some struct
Label with a descriptive nounAuthentication data
ASP source file
Data Flow
Common DFD Symbols
Data being conveyed
Indicate direction of flow with an arrow
Each data flow is one logical set of data, think of it as some struct
Label with a descriptive nounAuthentication data
ASP source file
Hierarchical Levels
Context Diagram - A DFD showing the data flows between the target system and external entities.
Describes the boundaries of the system
The target system is represented by a single process bubble.
Level 0 - A DFD showing the major sub-systems and the
data flows between them and to and from the outside world.
Level n - A DFD showing the components of one of the processes in the level n-1 diagram
A web farm can be exploded in a level 1
Web ServerBrowser Administrator
Request for apage
AuthenticationRequest
AuthenticationData
Page contents
Configurationdata
Logs and alerts
A simple web server context diagram
More Detail: Level 0 DFD
Browser
1.0 PageRequest
4.0Authentication
Request
5.0Authentication
Data
9.0 Pagecontents
13.0Configuration
changes
18.0 Logsand alerts
1.0Authentication
Module
Webroot
2.0 RequestProcessor
AuthenticationDatabase
6.0 UserInformation
3.0Authentication
query
7.0Authentication
Result
3.0Configuration
manager
8.0 Pagedata
ConfigurationData
16.0 LogRequest
12.0Configuration
Data
14.0Configuration
Data11.0Configuration
Data
2.0Configuration
Data
4.0LoggingEngine
Logs
Administrator
15.0 Logconfiguration
10.0 Log data17.0 Log Data
4.0Authentication
Request
5.0Authentication
Data
2.0 RequestProcessor
AuthenticationDatabase
6.0 UserInformation
3.1Authentication
query
7.0Authentication
Result
1.1 AuthProcessor
1.2 AuthenticationProtocol
Negotiation
4.1Authentication
Capabilities
4.2 AuthProtocolSelection
1.3 Sub-authModule
3.2 ProtocolNegotiation
Request
5.1 UserAuth Data
5.2 User AuthData
6.1 Auth Result
Browser
Even More Detail: Level 1 DFD
Basic Rules
External EntitiesData flow between external entities is outside the scope of the diagramExternal entities can only talk to processes
Would you let outsiders access your data stores directly?
Data flowsFlows are unidirectionalFlows can fork, if the same data is sent to two different processes or stores.A fork in a data flow means that exactly the same data goes to two different processes or data stores.A join in a data flow means that exactly the same data comes from two different processes or data storesData does not circle back to the originating process
Basic Rules
ProcessesA process without input is a miracle, making data from nothingA process without output is a black hole
Data StoresData stores are passive, hence they cannot move dataYou do not ask data stores for information, you go get itExternal entities should never access data stores directlySummary: A data store should be connected to a process
Common Problems
Including unnecessary processes and external entities
Missing necessary processes
Combining activities into a single process
Not labeling all data flows
Processes that do not process
Multi-directional data flows
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.