Bh Win 03 Rileybollefer


Published on

Surviving OpenHack 4, Steve Riley, Timothy Bollefer, Microsoft Corporation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Bh Win 03 Rileybollefer

  1. 1. Surviving OpenHack 4 Steve Riley and Timothy Bollefer Microsoft Corporation
  2. 2. Yes we can <ul><li>Believe it! </li></ul><ul><li>Any reasonably skilled administrator can build a Windows environment that is secure and resilient against attack </li></ul><ul><li>You’ll learn today how we won the latest OpenHack competition by eWeek </li></ul><ul><li>You can use these principles today on your own deployments </li></ul>
  3. 3. System components <ul><li>Web application </li></ul><ul><li>IIS 5.0 </li></ul><ul><li>Windows 2000 AS </li></ul><ul><li>IPSec policies </li></ul><ul><li>Remote management and monitoring </li></ul><ul><li>SQL Server 2000 </li></ul><ul><li>Passwords </li></ul><ul><li>Keep this in mind: we used no firewalls! </li></ul>
  4. 4. Web application
  5. 5. Web application <ul><li>Built on eWeek’s eXcellence Awards web site </li></ul><ul><ul><li>User sets up account </li></ul></ul><ul><ul><li>Enters a product or service for judging </li></ul></ul><ul><ul><li>Submits a credit card number to pay entry fee </li></ul></ul><ul><ul><li>Read information about award </li></ul></ul><ul><li>Built with .NET Framework </li></ul><ul><ul><li>ASP.NET </li></ul></ul><ul><ul><li>ADO.NET </li></ul></ul><ul><ul><li>Cryptography class libraries </li></ul></ul>
  6. 6. Web application User authentication <ul><li>ASP.NET provides many options </li></ul><ul><ul><li>Integrated Windows authentication </li></ul></ul><ul><ul><li>Basic </li></ul></ul><ul><ul><li>Digest </li></ul></ul><ul><ul><li>.NET Passport </li></ul></ul><ul><ul><li>Client certificate </li></ul></ul><ul><ul><li>Forms (custom) </li></ul></ul><ul><li>eWeek requested forms </li></ul>
  7. 7. Web application Forms authentication <ul><li>POST user name and password over SSL </li></ul><ul><li>Use encrypted cookie to keep logon session </li></ul><ul><li>Unauthenticated users can access home page (and a couple others) </li></ul><ul><ul><li>Requests to secure pages get redirected to logon page </li></ul></ul>
  8. 8. Web application Page protection <ul><li>Request forms authN with three lines of code </li></ul><ul><ul><li><system.web> section of Web.config file in application’s root folder </li></ul></ul><ul><ul><li>Applies to all pages in application </li></ul></ul><ul><li>Protect certain pages in subfolder with a little more code </li></ul><ul><ul><li>Add another Web.config here </li></ul></ul><ul><ul><li>Inherits authN info from top-level file </li></ul></ul><ul><ul><li>Denies access to unauthenticated users </li></ul></ul>
  9. 9. Web application Page protection—request authN <ul><li><authentication mode= &quot; Forms &quot; > </li></ul><ul><li><forms loginUrl= &quot; Login.aspx &quot; name= &quot; OPSAMPLEAPP &quot; /> </li></ul><ul><li></authentication> </li></ul>
  10. 10. Web application Page protection—required authN <ul><li><?xml version= &quot; 1.0 &quot; encoding= &quot; utf-8 &quot; ?> </li></ul><ul><li><configuration> </li></ul><ul><li><system.web> </li></ul><ul><li><authorization> </li></ul><ul><li><deny users= &quot; ? &quot; /> </li></ul><ul><li></authorization> </li></ul><ul><li></system.web> </li></ul><ul><li></configuration> </li></ul>
  11. 11. Web.config files demo
  12. 12. Web application Account creation and login <ul><li>New account </li></ul><ul><ul><li>Encrypt password with 3DES </li></ul></ul><ul><ul><li>Store in database with user name </li></ul></ul><ul><li>Login to existing account </li></ul><ul><ul><li>Encrypt password with 3DES </li></ul></ul><ul><ul><li>Compare with encrypted password in database </li></ul></ul><ul><ul><li>Create cookie and send to user </li></ul></ul><ul><ul><ul><li>System.Web.Security.FormsAuthentication class </li></ul></ul></ul><ul><li>All over SSL </li></ul><ul><ul><li>Prevents replay attacks </li></ul></ul>
  13. 13. Web application Input validation <ul><li>Critically important security function </li></ul><ul><li>Ensure user input doesn’t change application’s behavior </li></ul><ul><li>Helps guard against— </li></ul><ul><ul><li>Buffer overruns </li></ul></ul><ul><ul><li>Cross-site scripting </li></ul></ul><ul><ul><li>Malicious code execution </li></ul></ul>
  14. 14. Web application Input validation <ul><li>Requires multiple layers </li></ul><ul><ul><li>Plan for the worst </li></ul></ul><ul><ul><li>Assume one or more tiers could be compromised </li></ul></ul><ul><li>Four checks </li></ul><ul><ul><li>Validate all field input </li></ul></ul><ul><ul><li>Validate query string portion of URL </li></ul></ul><ul><ul><li>Use stored procedures with type-checked parameters </li></ul></ul><ul><ul><li>HTML-encode all data sent to users </li></ul></ul>
  15. 15. Web application Input validation—1 st check <ul><li>Two ASP.NET classes </li></ul><ul><ul><li>RegularExpressionValidator </li></ul></ul><ul><ul><li>RequiredFieldValidator </li></ul></ul><ul><li>Limited input characters to space, apostrophe, comma, period, letters, numbers </li></ul><ul><li>Other characters blocked </li></ul><ul><ul><li>Commonly used to upload malicious code </li></ul></ul>
  16. 16. Web application Input validation—2 nd check <ul><li>Parse URL query string </li></ul><ul><ul><li>System.Text.RegularExpressions.Regex </li></ul></ul><ul><li>Validate input with regular expression </li></ul><ul><ul><li>Allow numbers only </li></ul></ul><ul><li>Regex isNumber = new Regex( &quot; ^[0-9]+$ &quot; ); </li></ul><ul><li>if(isNumber.Match(inputData) ) { </li></ul><ul><li>// use it </li></ul><ul><li>} </li></ul><ul><li>else { </li></ul><ul><li>//discard it </li></ul><ul><li>} </li></ul>
  17. 17. Web application Input validation—3 rd check <ul><li>Use stored procedures for data access </li></ul><ul><ul><li>Limits app’s interaction with database </li></ul></ul><ul><ul><li>Strongly-typed parameters </li></ul></ul><ul><li>Allowing web app to dynamically build queries is baaaaad! </li></ul><ul><ul><li>Whacked web server  arbitrary code injection </li></ul></ul><ul><li>Input parameters are type-checked first </li></ul>
  18. 18. Web application Input validation—4 th check <ul><li>HTML encode all data sent back to user </li></ul><ul><ul><li>HtmlEncode method in System.Web.HttpServerUtility class </li></ul></ul><ul><li>Prevents cross-site scripting attacks </li></ul><ul><ul><li>Compromise database  enter script in records  return to user  execute in browser </li></ul></ul><ul><ul><li>Script commands translated to harmless text </li></ul></ul><ul><li>SomeLabel.Text = Server.HtmlEncode(username); </li></ul>
  19. 19. Input validation code demo
  20. 20. Web application Storing secrets <ul><li>Need to protect two kinds here </li></ul><ul><ul><li>Database connection/login string </li></ul></ul><ul><ul><li>User password and credit card information </li></ul></ul><ul><li>Use different approaches for each </li></ul>
  21. 21. Web application Storing secrets—connection string <ul><li>Web app needs to authenticate to database </li></ul><ul><li>Usual method is to store ID/password in code </li></ul><ul><ul><li>Holy grail for an attacker </li></ul></ul><ul><li>Use integrated Windows authN </li></ul><ul><ul><li>String contains only server location and DB name </li></ul></ul><ul><ul><li>Stored in “code-behind” file—core app logic </li></ul></ul><ul><ul><ul><li>Not user interface definition files </li></ul></ul></ul><ul><li>Still not enough </li></ul><ul><ul><li>Attacker on physical machine could read file </li></ul></ul><ul><ul><li>So… </li></ul></ul>
  22. 22. Web application Storing secrets—connection string <ul><li>Encrypt string using data protection API (DPAPI) functions </li></ul><ul><ul><li>CryptProtectData and CryptUnprotectData </li></ul></ul><ul><ul><li>Encrypts secrets without having to manage or store keys </li></ul></ul><ul><li>Store string in registry </li></ul><ul><li>ACL the registry key— </li></ul><ul><ul><li>Administrators </li></ul></ul><ul><ul><li>ASPNET worker process </li></ul></ul>
  23. 23. Web application Storing secrets—user info <ul><li>DPAPI is less useful here </li></ul><ul><ul><li>Keys based on local machine information </li></ul></ul><ul><ul><li>Each web server in the farm would have its own key; can’t access shared info this way </li></ul></ul>
  24. 24. Web application Storing secrets—user info <ul><li>Generate 3DES encryption key and initialization vector </li></ul><ul><ul><li>TripleDES class in System.Security.Cryptography </li></ul></ul><ul><li>Symmetrically encrypt password and credit card number stored in DB </li></ul><ul><ul><li>Salt: cryptographically strong random first block </li></ul></ul><ul><li>Encrypt key and IV with DPAPI and store in ACLed registry on each web server </li></ul>
  25. 25. Code for storing secrets demo
  26. 26. Internet Information Services 5.0
  27. 27. IIS 5.0 <ul><li>Updated service packs and security patches </li></ul><ul><li>Moved default web site </li></ul><ul><li>Ran IISLockDown tool </li></ul><ul><li>Installed and updated .NET Framework </li></ul><ul><li>Remapped extensions </li></ul><ul><li>Configured account privileges and permissions </li></ul><ul><li>Installed URLScan </li></ul><ul><li>Added ACLs to application folder and logs </li></ul>
  28. 28. IIS 5.0 Default web site location <ul><li>Move out of %systemdrive%inetpub </li></ul><ul><li>Put in different folder on different volume </li></ul><ul><li>Attacker needs to see directory tree now </li></ul><ul><ul><li>Can’t access the system drive with .. </li></ul></ul>
  29. 29. IIS 5.0 IISLockDown <ul><li>Use static web server template </li></ul><ul><ul><li>No need for dynamic content types in this app </li></ul></ul><ul><ul><li>Will modify in a bit </li></ul></ul><ul><li>Get it now: </li></ul>
  30. 30. IIS 5.0 .NET Framework <ul><li>Redistributable: </li></ul><ul><li>Service pack 2: </li></ul><ul><li>Latest hotfix (cred strengthening):;en-us;Q329250 </li></ul><ul><li>MDAC 2.7: </li></ul>
  31. 31. IIS 5.0 Remove extension mappings <ul><li>Need only .aspx and a few static content types </li></ul><ul><li>Remap other application extensions to 404.dll extension </li></ul><ul><ul><li>Included with IISLockDown </li></ul></ul>
  32. 32. IIS 5.0 Account privileges and perms <ul><li>Use default local ASPNET service account </li></ul><ul><ul><li>Created during Framework installation </li></ul></ul><ul><ul><li>Placed in Users local group </li></ul></ul><ul><ul><li>Also receives— </li></ul></ul><ul><ul><ul><li>temporary ASP.NET folder: full </li></ul></ul></ul><ul><ul><ul><li>%windir% emp : full </li></ul></ul></ul><ul><ul><ul><li>Framework installation folder: read </li></ul></ul></ul><ul><li>Add this account to local Web application group created by IISLockDown </li></ul><ul><ul><li>This group can’t run executables </li></ul></ul><ul><ul><li>Update group’s perms to run the C# compiler and resource converter </li></ul></ul>
  33. 33. IIS 5.0 URLScan <ul><li>Part of IISLockDown </li></ul><ul><li>Parser examines URL before passing it to IIS </li></ul><ul><li>Configuration— </li></ul><ul><ul><li>Allow only the app’s extensions </li></ul></ul><ul><ul><li>Block long requests </li></ul></ul><ul><li>More details: </li></ul>
  34. 34. IIS 5.0 Folder and log ACLs <ul><li>Web content folders— </li></ul><ul><ul><li>ASP.NET worker process: read </li></ul></ul><ul><ul><li>Anonymous: read-only on served content </li></ul></ul><ul><li>Log folders— </li></ul><ul><ul><li>System account and Administrators group only </li></ul></ul><ul><ul><li>All others: deny </li></ul></ul><ul><ul><li>IIS and URLScan logs </li></ul></ul>
  35. 35. IISLockDown Extension remapping Accounts URLScan Folder/log ACLs demo
  36. 36. Windows 2000 Advanced Server
  37. 37. Windows 2000 AS <ul><li>Updated service packs and security patches </li></ul><ul><li>Disable unused OS services </li></ul><ul><li>Various registry-based tightenings </li></ul>
  38. 38. Windows 2000 AS Unused services <ul><li>Alerter </li></ul><ul><li>Appmgmt </li></ul><ul><li>Bits </li></ul><ul><li>Browser </li></ul><ul><li>Clipsrv </li></ul><ul><li>Dfs </li></ul><ul><li>Dhcp </li></ul><ul><li>Fax </li></ul><ul><li>Ismserv </li></ul><ul><li>Kdc </li></ul>Baseline template disables these: <ul><li>Messenger </li></ul><ul><li>Mnmsrvc </li></ul><ul><li>Msdtc </li></ul><ul><li>Netdde </li></ul><ul><li>Netddedsdm </li></ul><ul><li>Ntfrs </li></ul><ul><li>Rasauto </li></ul><ul><li>Rasman </li></ul><ul><li>Remoteregistry </li></ul><ul><li>Sharedaccess </li></ul><ul><li>Spooler </li></ul><ul><li>Tapisrv </li></ul><ul><li>Tlntsvr </li></ul><ul><li>Trksvr </li></ul><ul><li>Trkwks </li></ul><ul><li>Utilman </li></ul><ul><li>Winmgmt </li></ul><ul><li>Wmi </li></ul><ul><li>Wuauserv </li></ul>
  39. 39. Windows 2000 AS Unused services <ul><li>SQL Server </li></ul><ul><ul><li>Lanmanserver—manual </li></ul></ul><ul><ul><li>Sqlserveragent—disabled </li></ul></ul><ul><li>Terminal server </li></ul><ul><ul><li>Lmhosts—disabled </li></ul></ul><ul><li>Web server </li></ul><ul><ul><li>Lanmanserver—disabled </li></ul></ul><ul><li>VPN server </li></ul><ul><ul><li>Rasauto, Rasauto, Lmhosts, Tapisrv, Remoteregistry—automatic </li></ul></ul>
  40. 40. Windows 2000 AS Reg tweaks—NoLMHash <ul><li>HKLMSystemCurrentControlSet ControlLSA </li></ul><ul><li>Prevents Windows from storing LM hash format passwords </li></ul><ul><li>Susceptible to decryption </li></ul><ul><li>Key in Windows 2000; value in Windows XP and Server 2003 </li></ul>
  41. 41. Windows 2000 AS Reg tweaks—NoDefaultExempt <ul><li>HKLMSystemCurrentControlSet ServicesIPSec </li></ul><ul><li>IPSec normally exempts Kerberos traffic from policy engine </li></ul><ul><li>Change default so that no traffic is allowed from source port 88 </li></ul><ul><li>See IPSec section for more details </li></ul>
  42. 42. Windows 2000 AS Reg tweaks—DisableIPSourceRouting <ul><li>HKLMSystemCurrentControlSet ServicesTcpipParameters </li></ul><ul><li>Prevents an application from specifying a route in an IP packet </li></ul><ul><ul><li>Enforces use of computer’s default gateway </li></ul></ul><ul><li>Eliminates certain man-in-the-middle attacks </li></ul>
  43. 43. Windows 2000 AS Reg tweaks—SynAttackProtect <ul><li>HKLMSystemCurrentControlSet ServicesTcpipParameters </li></ul><ul><li>Limits system resources allocated to incoming requests </li></ul><ul><li>Prevents certain SYN-flood attacks and denials of service </li></ul>
  44. 44. Registry tweaks demo
  45. 45. IPSec policies
  46. 46. IPSec policies <ul><li>Traffic requirements </li></ul><ul><ul><li>Web server  SQL Server </li></ul></ul><ul><ul><li>RAS  management net over L2TP </li></ul></ul><ul><ul><li>Mgmt server  clients for Terminal Services and file sharing </li></ul></ul><ul><ul><li>Mgmt server  all servers over private NICs </li></ul></ul><ul><ul><li>All servers  mgmt server file shares </li></ul></ul>
  47. 47. IPSec policies Protection <ul><li>Use digital certificates for authentication </li></ul><ul><ul><li>Standalone CA taken offline after machine enrollment </li></ul></ul><ul><li>Signed (SHA-1) </li></ul><ul><ul><li>Between all computers; enforces machine-to-machine authentication </li></ul></ul><ul><ul><li>Protects integrity </li></ul></ul><ul><li>Encrypted (MD5) </li></ul><ul><ul><li>To/from management server </li></ul></ul><ul><ul><li>Protects confidentiality of internal traffic if front-end were compromised </li></ul></ul>
  48. 48. IPSec policies Policy properties <ul><li>Initial config on all servers </li></ul><ul><ul><li>Block all IP and all ICMP traffic </li></ul></ul><ul><li>Web server  SQL Server </li></ul><ul><ul><li>“ Authenticate and sign” action: IPSec AH </li></ul></ul><ul><li>Mgmt server  everything </li></ul><ul><ul><li>“ AuthN, sign, encrypt” action: IPSec ESP+AH </li></ul></ul><ul><li>Internet  web servers </li></ul><ul><ul><li>Permit </li></ul></ul>
  49. 49. IPSec policies Relationships
  50. 50. IPSec UI— each server’s policy demo
  51. 51. Remote management and monitoring
  52. 52. Remote management <ul><li>An OH requirement is to show it’s possible to update the app during the contest </li></ul><ul><li>Our solution: </li></ul><ul><ul><li>L2TP+IPSec remote-access VPN </li></ul></ul><ul><ul><li>Terminal Services </li></ul></ul><ul><ul><li>Restricted file shares </li></ul></ul>
  53. 53. Remote management L2TP+IPSec remote-access VPNs <ul><li>L2TP is the tunnel; IPSec encrypts it </li></ul><ul><li>Remote administrator needs— </li></ul><ul><ul><li>Computer certificate trusted by RRAS server </li></ul></ul><ul><ul><li>Remote access account credentials </li></ul></ul><ul><li>Achieve trusted computer and user </li></ul><ul><ul><li>Computer certificate is non-exportable </li></ul></ul><ul><ul><ul><li>We know where the user is coming from </li></ul></ul></ul><ul><ul><li>User account to log on to RRAS (and TS) </li></ul></ul><ul><ul><ul><li>We know who the user is </li></ul></ul></ul>
  54. 54. Remote management Terminal Services <ul><li>Individual accounts on each computer (no domain here) </li></ul><ul><ul><li>Password strength described later </li></ul></ul><ul><li>TS access limited to OHTS computer only </li></ul><ul><li>Carried over the VPN </li></ul><ul><ul><li>Although TS traffic is already encrypted </li></ul></ul><ul><li>From OHTS can connect to TS on other computers </li></ul><ul><ul><li>“Nesting” TS works just fine </li></ul></ul>
  55. 55. Remote management File shares <ul><li>“inbox” share </li></ul><ul><ul><li>To drop off changed site content </li></ul></ul><ul><ul><li>Write-only </li></ul></ul><ul><li>“outbox” share </li></ul><ul><ul><li>To retrieve files for analysis </li></ul></ul><ul><ul><li>Read-only </li></ul></ul>
  56. 56. Remote management Physical network
  57. 57. VPN configuration demo
  58. 58. SQL Server 2000
  59. 59. SQL Server 2000 <ul><li>It’s all about reducing the “surface area” exposed to attackers </li></ul><ul><ul><li>Installed software </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Service account </li></ul></ul><ul><ul><li>Communications protocols </li></ul></ul><ul><ul><li>Recovery actions </li></ul></ul><ul><ul><li>Application permissions </li></ul></ul>
  60. 60. SQL Server Installed software <ul><li>Service pack 2 and latest security patches </li></ul><ul><li>Omit— </li></ul><ul><ul><li>Upgrade tools </li></ul></ul><ul><ul><li>Debug symbols </li></ul></ul><ul><ul><li>Replication support </li></ul></ul><ul><ul><li>Books online </li></ul></ul><ul><ul><li>Development tools </li></ul></ul><ul><li>Disable— </li></ul><ul><ul><li>Msdtc </li></ul></ul><ul><ul><li>SQL Server agent </li></ul></ul><ul><ul><li>Microsoft search </li></ul></ul>
  61. 61. SQL Server Authentication <ul><li>Modified local security policy to allow NTLMv2 only </li></ul><ul><li>Configure for Windows only </li></ul><ul><ul><li>No need to store SA ID/password on web server </li></ul></ul><ul><li>Set huge SA password </li></ul><ul><ul><li>In case someone “accidentally” changes authN </li></ul></ul><ul><li>Set audit level to “Failure” </li></ul><ul><ul><li>Good evidence of attempted attack forensics </li></ul></ul><ul><ul><li>But if attacker did figure out password, how would you know…? </li></ul></ul><ul><ul><ul><li>Maybe should audit success and failure </li></ul></ul></ul>
  62. 62. SQL Server Service account <ul><li>Default is LocalSystem </li></ul><ul><ul><li>Has too many permissions! </li></ul></ul><ul><li>Create local user account for SQL service </li></ul><ul><ul><li>Strong password </li></ul></ul><ul><ul><li>User can’t change </li></ul></ul><ul><ul><li>No TS access </li></ul></ul><ul><li>Or can use domain user account if network access is necessary </li></ul>
  63. 63. SQL Server A couple others <ul><li>Communications protocol </li></ul><ul><ul><li>In server network utility: hide SQL Server from client broadcasts </li></ul></ul><ul><ul><li>Remove named pipes protocol (need TCP/IP only) </li></ul></ul><ul><li>Recovery actions </li></ul><ul><ul><li>Set to “restart the service” </li></ul></ul><ul><ul><li>In service properties page </li></ul></ul><ul><ul><li>More of a reliability thing… </li></ul></ul>
  64. 64. SQL Server Application permissions <ul><li>Delete sample Northwind and Pubs databases </li></ul><ul><li>Create application database </li></ul><ul><ul><li>Grant app account permissions on stored procedures but on the tables themselves </li></ul></ul><ul><ul><li>Prevents execution of ad hoc SQL queries </li></ul></ul><ul><ul><li>Ensure this account has no permissions anywhere else in SQL Server </li></ul></ul>
  65. 65. SQL Server configuration demo
  66. 66. Passwords
  67. 67. Passwords <ul><li>Do we even need to mention this? ;) </li></ul><ul><li>Include characters from at least three— </li></ul><ul><ul><li>Lowercase alphabet </li></ul></ul><ul><ul><li>Uppercase alphabet </li></ul></ul><ul><ul><li>Numbers </li></ul></ul><ul><ul><li>Non-alphanumerics </li></ul></ul><ul><li>The super-paranoid should use all four plus ALT+??? symbols </li></ul><ul><li>Go for length </li></ul>
  68. 68. Learnings
  69. 69. Learnings <ul><li>Every deployment is unique, but certain principles apply everywhere </li></ul><ul><li>Use, adapt, modify as necessary </li></ul><ul><li>Need to state the obvious here (after all, this is a PowerPoint presentation…) </li></ul>
  70. 70. The obvious <ul><li>Plan for security in the original design </li></ul><ul><li>Always install latest service packs and patches (design should include plan for this) </li></ul><ul><li>Always use complex non-intuitive passwords </li></ul><ul><li>Reduce surface area by disabling unnecessary functionality </li></ul><ul><li>Adhere to the principle of least privilege </li></ul><ul><li>Anticipate failure; practice defense in depth </li></ul><ul><li>Always run IISLockDown and URLScan on IIS </li></ul><ul><li>Validate all input data </li></ul><ul><li>Use only parameterized stored procedures on a database </li></ul>
  71. 71. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.