Steve Riley Senior Program Manager Security Business and Technology Unit steriley@microsoft.com...

Steve RileySteve RileySenior Program ManagerSenior Program ManagerSecurity Business and Technology UnitSecurity Business and Technology Unit

steriley@microsoft.comsteriley@microsoft.com

Common security screw-Common security screw-ups we have known and ups we have known and seenseen

Security MythsSecurity Myths

© 2005 Microsoft Corporation, All Rights Reserved

Our network is secure,

right?Oh sure, Don’t worry. We have

several firewalls

© 2005 Microsoft Corporation, All Rights Reserved

The TruthThe Truth

Your network is not secure!

At best it is protected

Protected networks are well designed networks

with savvy users

© 2005 Microsoft Corporation, All Rights Reserved

Fundamental TradeoffFundamental Tradeoff

Secure

Usable Cheap

You get to pick any two!You get to pick any two!

© 2005 Microsoft Corporation, All Rights Reserved

AgendaAgenda

10 (more or less) things people do 10 (more or less) things people do that do not improve securitythat do not improve security

© 2005 Microsoft Corporation, All Rights Reserved

Use Some Hardening GuideUse Some Hardening Guide

© 2005 Microsoft Corporation, All Rights Reserved

Rolling Back The GuideRolling Back The Guide

© 2005 Microsoft Corporation, All Rights Reserved

Roles Your System Can Fill NowRoles Your System Can Fill Now

© 2005 Microsoft Corporation, All Rights Reserved

HidingHiding

Rename Administrator accountRename Administrator account““Keeps bad guys away from admin Keeps bad guys away from admin account”account”

Turn off SSID broadcastTurn off SSID broadcast““Ensure nobody finds your AP”Ensure nobody finds your AP”

Do not display last logged on userDo not display last logged on user““Never volunteer the username”Never volunteer the username”

Change your web/ftp bannerChange your web/ftp banner

They’ll find you!Security by

obscurity is weak defense

© 2005 Microsoft Corporation, All Rights Reserved

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

Make Tons Of Security Changes; Make Tons Of Security Changes; Without A PolicyWithout A PolicyMake Tons Of Security ChangesMake Tons Of Security Changes

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

The “new math” syndrome:

1+1 = [0,-1)

© 2005 Microsoft Corporation, All Rights Reserved

Get Evaluated Based On Number Get Evaluated Based On Number of Tweaks?of Tweaks?

No problems, make harmless onesNo problems, make harmless onesHKLM\Software\Microsoft\Windows NT\CurrentVersion\DisableHackers=1 (REG_DWORD)HKLM\Wetware\Users\SocialEngineering\Enabled=no (REG_SZ)HKCU\Wetware\Users\CurrentUser\PickGoodPassword=1 (REG_BINARY)HKLM\Hardware\CurrentSystem\FullyPatched=yes (REG_SZ)HKLM\Software\AllowBufferOverflows=no (REG_SZ)

© 2005 Microsoft Corporation, All Rights Reserved

Better Yet: Get PromotedBetter Yet: Get Promoted

Sales

Engineering

IT

Tweaks

3rd Quarter ROI Contribution By Area

© 2005 Microsoft Corporation, All Rights Reserved

We Need High SecurityWe Need High Security

Is that what you want?

© 2005 Microsoft Corporation, All Rights Reserved

Consider your needs firstConsider your needs first

© 2005 Microsoft Corporation, All Rights Reserved

Detection Gone BadDetection Gone Bad

Detection Detection Does Not Does Not Always Always WorkWork

Account LockoutAccount Lockout

Account Account Lockout Is Lockout Is

Attack Attack DetectionDetection

© 2005 Microsoft Corporation, All Rights Reserved

Permanent Account LockoutPermanent Account LockoutTermination Notice

Employee Name: Employee ID:

Employee Address: Employee SSN:

Manager Name: Manager ID:

Department:

Termination Effective Date:

Benefits Continuation:

Yes No

Severance Package:

Yes No

Termination Reason: Opening unsolicited e-mail

Sending spam Emanating Viruses Port scanning Attempted unauthorized

access Surfing porn Installing shareware Possession of hacking

tools

Refusal to abide by security policy

Sending unsolicited e-mail

Allowing kids to use company computer to do homework

Disabling virus scanner Running P2P file sharing Unauthorized file/web

serving Annoying the Sysadmin

© 2005 Microsoft Corporation, All Rights Reserved

Physical SecurityPhysical Security

Software Cannot Replace Physical Security

Prevent shutdown without logging onPrevent shutdown without logging onUSB Thumb drivesUSB Thumb drivesRecovery console restrictionsRecovery console restrictionsRestrict undock without logonRestrict undock without logon

© 2005 Microsoft Corporation, All Rights Reserved

Put Things In The Right PlacePut Things In The Right Place

© 2005 Microsoft Corporation, All Rights Reserved

Follow The LeaderFollow The Leader

“Security Expert”: (n) Someone who is quoted in the press

Certified……or just certifiable?

© 2005 Microsoft Corporation, All Rights Reserved

Audit everythingAudit everything

““We need to know exactly what’s We need to know exactly what’s going on”going on”

Will you be able to tell?Will you be able to tell?That’s the tasty one…

© 2005 Microsoft Corporation, All Rights Reserved

Password CrackingPassword Cracking

© 2005 Microsoft Corporation, All Rights Reserved

The real password problemThe real password problem

Hey, I want to authenticateHey, I want to authenticate

Response –E(Hash, nonce)Response –E(Hash, nonce)

OK, here is a nonce, tell me who you areOK, here is a nonce, tell me who you are

ClientClientServerServer

If the bad guys have your hashes you

have already lost!

© 2005 Microsoft Corporation, All Rights Reserved

The Real Password ProblemThe Real Password Problem

Admin password

Admin.R386W

© 2005 Microsoft Corporation, All Rights Reserved

Evolution of the ProblemEvolution of the Problem

© 2005 Microsoft Corporation, All Rights Reserved

What We Tell UsersWhat We Tell Users

© 2005 Microsoft Corporation, All Rights Reserved

What Users SeeWhat Users See

© 2005 Microsoft Corporation, All Rights Reserved

Vendors Can Fix User Security Vendors Can Fix User Security ProblemsProblems

The real problem is uneducated users

Properly configured users are your

strongest defense!

© 2005 Microsoft Corporation, All Rights Reserved

Configuring UsersConfiguring Users

© 2005 Microsoft Corporation, All Rights Reserved

SSH/HTTP/HTTPS is great. We SSH/HTTP/HTTPS is great. We only have to open one port in only have to open one port in the firewallthe firewall

Network and Transport Layers80/tcp(UFBP)

443/tcp(SUFBP)

The Firewall

UFBP

SUFBP

SSH

VPN

Remote

Control

© 2005 Microsoft Corporation, All Rights Reserved

Network Security ClaimsNetwork Security Claims

Our network/software/hardware isOur network/software/hardware isSecureSecureImpenetrableImpenetrableUnbreakableUnbreakable

© 2005 Microsoft Corporation, All Rights Reserved

Network Security ClaimsNetwork Security Claims

© 2005 Microsoft Corporation, All Rights Reserved

NewsflashNewsflash

Security is Security is hard!hard!

There is no There is no easy fixeasy fix

© 2005 Microsoft Corporation, All Rights Reserved

The mythsThe myths1.1. Security guides make your system secureSecurity guides make your system secure2.2. If we hide the bad guys won’t find usIf we hide the bad guys won’t find us3.3. The more tweaks the betterThe more tweaks the better4.4. All environments should follow the advice in All environments should follow the advice in

<insert guide here><insert guide here>5.5. High security is an end goal for all environmentsHigh security is an end goal for all environments6.6. Security tweaks can fix physical security Security tweaks can fix physical security

problemsproblems7.7. The lemming security model - always follow The lemming security model - always follow

expert recommendationsexpert recommendations8.8. We need to audit We need to audit everythingeverything9.9. Password cracking is our biggest problemPassword cracking is our biggest problem10.10. Security tweaks will stop worms and virusesSecurity tweaks will stop worms and viruses11.11. Encrypted attack traffic is much better than clear-Encrypted attack traffic is much better than clear-

text attack traffictext attack traffic

© 2005 Microsoft Corporation, All Rights Reserved

For more informationFor more information

Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!

Order online:Order online:http://www.awprofeshttp://www.awprofessional.com/title/0321sional.com/title/0321336437336437Use promo codeUse promo codeJJSR6437JJSR6437

Steve RileySteve Rileysteriley@microsoft.comsteriley@microsoft.com

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.