Microsoft Days 09 Windows 2008 Security


Published on

This is my presentation which I have made at Microsoft Days Bulgaria, Kempinski Hotel 15.04.2009.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Microsoft Days 09 Windows 2008 Security

  1. 1. IT Professionals IT Professionals Kempinski Hotel Zografski Sofia
  2. 2. IT Professionals Windows Server 2008 Security Improvements Deniz Kaya Microsoft, Cisco, Ironport, Mile2 Instructor at MCT, MCSE, CCSI, CCSP, CCNP, ICSI, ICSP, CPTS 26 April 2009 2
  3. 3. Agenda IT Professionals • Windows Firewall with Advanced Security • Server and Domain Isolation • Server Core • Windows Service Hardening • Read-Only Domain Controllers • Fine-grained Password Policy • Network Access Protection 26 April 2009 3
  4. 4. IT Professionals Windows Firewall with Advanced Security Combined firewall and IPsec management – New management tools – Windows Firewall with Advanced Security MMC snap-in – Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent – Specify security requirements such as authentication and encryption – Specify Active Directory computer or user groups Outbound filtering – Enterprise management feature – not for consumers Simplified protection policy reduces management overhead
  5. 5. IT Professionals Combinedrules become more intelligent Firewall firewall and IPsec management Policy-based networking
  6. 6. Server & Domain Isolation IT Professionals Server Isolation Protect specific high-value servers and data Protect managed computers from unmanaged Domain Isolation or rogue computers and users
  7. 7. Isolation Solution IT Professionals Details Policy Management Authentication Enforcement Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy: – Domain membership is required to access trusted resources. – Expands the use of supportive tools like Microsoft Systems Management Server (SMS) 2003 or Windows Server® Update Service (WSUS). Authentication is based on machine and user credentials: – Kerberos, X.509 certificates, NTLM version 2 (NTLMv2), NAP health certificates Policies are enforced at the network layer by IPsec: – Uses IPsec transport mode for end-to-end security and Network Address Translation (NAT) traversal – Packets encapsulated with Encapsulating Security Payload (ESP) or Authentication Header (AH) for authentication and integrity – Optionally, encryption of highly sensitive network traffic
  8. 8. IT Professionals Demo Windows Firewall with Advanced Security Server & Domain Isolation
  9. 9. IT Professionals Only a subset of the executable files and DLLs installed No GUI interface installed 9 available Server Roles Can be managed with remote tools
  10. 10. Server Core and Roles IT Professionals • Windows Server is frequently deployed to support a single role or a fixed workload – Despite a fixed workload, still have to deploy and service all of Windows Server – Services not essential to the workload have costs for servicing, security, and management. • IT Staff and IT Skills are technology role-centric – Active Directory Administrators don’t usually administer web servers – Skill sets for SQL Administration are not highly transferable to DHCP administration
  11. 11. IT Professionals Windows Service Hardening • Built-in accounts for easy Service Hardening management – No password management requirements – LocalSystem File system • Very powerful and has most privileges – use cautiously – LocalService and NetworkService • Greatly reduced privilege set Registry • Network Service uses machine Active account for remote protection authentication Network
  12. 12. IT Professionals Service Hardening • Services are attractive targets for malware – Run without user interaction – Number of critical vulnerabilities in services – Large number of services run as “System” – Worms target services • Sasser, Blaster, CodeRed, Slammer, etc…
  13. 13. Problem: Shared Session 0 IT Professionals • Services and user applications for console user run in the same session (session 0) • Application windows in same session can freely send window messages to each other. A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging
  14. 14. Solution: Session 0 Isolation IT Professionals • No More Share Session 0 – Session 0 is assigned exclusively to services and the session is made non- interactive – User applications run in session 1 and higher – Services are isolated from user applications to avoid attacks 14
  15. 15. IT Professionals Problem: Privilege issue • Services automatically gain all privileges of account they are running in • Services cannot specify set of privileges required • Lack of granular control Local system over privileges Service: Disk Manager – Services run with unnecessary Garbage Collector Privileges: high privileges Load driver Shut Down Back Up
  16. 16. IT Professionals Solution: Running With Least Privilege • Privilege stripping – Enables a service to run with least privilege • Use only required privileges – Express required privileges during service configuration • SeBackupPrivilege, SeRestorePrivilege, etc. • ChangeServiceConfig2 API (sc.exe can be used as well) – SCM computes union of all hosted service required privileges • Permanently removes unnecessary privileges from process token when service process starts – No privileges are added • Target account must support required privileges, e.g. a service in LocalService account cannot get SeTCBPrivilege
  17. 17. Problem: No Service Isolation IT Professionals • Services do not have their individual identity – Identity of a service is tied up with account it’s running in – E.g. When Web Server is granted access to database, Time Server also gains access to the database Account:LocalService Account:LocalService Web Server Time Server Database `
  18. 18. IT Professionals Solution: Service Isolation • Service-specific SID – 1:1 mapping between service name and SID – Use to ACL objects the service needs to allow access only to service-specific SID • Use ChangeServiceConfig2, sc.exe to control service SID • Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED • Service-specific SID assigned at start time – When service process starts • SCM adds service SIDs to process token – S-1-5-80-XXXXX-YYYYY • SID enabled/disabled when service starts/stops – Service SIDs are local to the machine
  19. 19. IT Professionals Network Access Restriction – Service network restriction are implemented with per- service SIDs – Server 2008/Vista firewall has been enhanced to support service network restriction – Services can add firewall rule to specify communication protocol, ports and direction of the traffic • e.g. A service can add a rule to restrict its network access on TCP port 10000 for outbound communication – Integrated firewall in Vista/Server2008 will block all other type of network access 19
  20. 20. IT Professionals RODC Main Office Branch Office Features Role Separation Benefits
  21. 21. So how can we deploy a Domain IT Professionals Controller in this environment?!
  22. 22. Read-Only Domain Controller IT Professionals 1-Way Replication Admin Role Separation No replication from RODC to Full-DC RODC Server Admin does NOT need to be a Domain Attack on RODC Admin does not propagate to the AD Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC
  23. 23. RODC – Attacker “experience” IT Professionals ByI default Read-Only have a I do not have Let’s tamper data Let’s intercept With Admin role database. Also, no any secrets cached.  Let’s steal this separation, the Domain on this RODC Domain Admin I other DC in the do not hold any Damn! Admin doesn’t need to RODC credentials sent to and use its enterprise replicates custom app specific log-in to me. data from me. this RODC attributes either. identity Attacker RODC
  24. 24. Read-Only Domain Controller IT Professionals How it works? Branch HUB 1. Logon request sent to RODC RODC 2. RODC: Looks in DB quot;I don't Full DC have the users secretsquot; 3 4 3. Forwards Request to Full DC 2 4. Full DC authenticates user 5 6 7 5. Returns authentication response and TGT back to the RODC 7 6. RODC gives TGT to User 1 and Queues a replication request for the secrets 6 7. Hub DC checks Password Replication Policy to see if Password can be replicated
  25. 25. Read-Only Domain Controller IT Professionals Recommended Deployment Models • No accounts cached (default) – Pro: Most secure, still provides fast authentication and policy processing – Con: No offline access for anyone • Most accounts cached – Pro: Ease of password management. Manageability improvements of RODC and not security. – Con: More passwords potentially exposed to RODC • Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and maximizes security for other – Con: Fine grained administration is new task
  26. 26. IT Professionals Demo Read-Only Domain Controllers
  27. 27. Fine-Grained Password Policies IT Professionals Overview • Granular administration of password and lockout policies within a domain • Usage Examples: –Administrators • Strict setting (passwords expire every 14 days) –Service accounts • Moderate settings (passwords expire every 31 days, minimum password length 32 characters) –Average User • “light” setting (passwords expire every 90 days)
  28. 28. Fine-Grained Password Policies IT Professionals At a glance • Policies can be applied to: –Users –Global security groups • Does NOT apply to: –Computer objects –Organizational Units • Multiple policies can be associated with the user, but only one applies
  29. 29. Fine-Grained Password Policies IT Professionals Example Resultant PSO = PSO1 Precedence = 10 Password Settings Applies To Object Resultant PSO 1 PSO = PSO1 Precedence = 20 Password Settings Applies To Object PSO 2
  30. 30. IT Professionals Policy Servers such as: Patch, AV 3 1 2 Not policy 4 Remediation compliant Servers DHCP, VPN Windows Example: Patch Restricted NPS Switch/Router Client Network Policy compliant 5 Corporate Network If not policy compliant, client is put in a restricted Client requests access to fix up resources status If policy Policy Server (NPS) validates presentsto Networkcompliant, client is granted healthto IT- to DHCP,and givenaccess to network and againstdownload VLAN VPN or Switch/Router relays full access current 5 4 3 2 1 health state corporate network defined health policy signatures (Repeat Microsoft Network Policy Server (RADIUS) 1 - 4) patches, configurations,
  31. 31. NAP - Enforcement Options IT Professionals Enforcement Healthy Client Unhealthy Client Full IP address given, DHCP Restricted set of routes full access VPN (MS and 3rd Full access Restricted VLAN Party) 802.1X Full access Restricted VLAN Healthy peers reject Can communicate with connection requests from any trusted peer unhealthy systems IPsec Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation
  32. 32. IPsec-based NAP Walk-through IT Professionals Quarantine Zone Boundary Zone Protected Zone DHCP May I have a DHCP address? May I have a health certificate? Here’s my SoH. Here you go. Client ok? Yes. No. You don’t gethealth Here’s your a health Health Registration Needs health Issue fix-up. certificate. certificate. Go fix up. NPS Client I need updates. Authority certificate.  Accessing the network Here you go. Remediation Server
  33. 33. IT Professionals Thank you !