March 18th, 2008EDUCAUSE MWR 2008 - John Bruggeman EDUCAUSE Midwest Regional 2008 Effective Windows Desktop Security John Bruggeman, [email protected]

March 18th, 2008 EDUCAUSE MWR 2008 - John Bruggeman

EDUCAUSE Midwest Regional 2008

Effective Windows

Desktop Security

John Bruggeman, [email protected]

Director of Information Systems

Hebrew Union College – Jewish Institute of Religion


Windows Desktop Security !

Agenda Windows Security

• Defense in Depth– 4 walls of protection

• Top Vulnerabilities• Frequent Mistakes

EDUCAUSE Security Taskforce Effective Practices• EP’s on many areas, not just Windows

Tools that work• Comodo Firewall, Spybot Tea Timer, MBSA, • Demo Spybot & Comodo

Questions & Answers


Copyright Notice

Copyright John Bruggeman, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Who am I?

John Bruggeman Director of Information Systems (and

Telecommunications) Hebrew Union College – Jewish Institute of Religion

• 4 Campus – LA, NY, Cincinnati, Jerusalem• Responsible for all IS and Telcom issues• 4 staff (one per campus plus one Website Manager)

GSEC certified in 2003, recertified in 2005 GCWN certified in 2008 (Windows Security) Active in INFRAGARD and EDUCAUSE Security

Task Force Advocate for IT Security –

• We are only as secure as our weakest link!


Defense in Depth

4 Layers of Defense – 4 Walls Wall 1 – Blocking attacks at the Network (IPS and IDS)

• Tools to use at the Network, beyond a traditional firewall

Wall 2 – Blocking attacks at the Host (IPS and IDS)• Tools to use on the PC

– Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware

Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20)• Windows Vulnerabilities

Wall 4 - Safely supporting Authorized Users• Balancing security and access


Defense in Depth cont.

Layer 1 – Blocking Attacks at the Network IPS (Intrusion Protection Systems)

• Block traffic before it penetrates• Checks “content” of traffic and allows or denies

IDP (Intrusion Detection Systems)• Notices when a system has been compromised (post attack)

Firewall / Malware detection at the perimeter• Classic firewalls are being replaced with IPS devices• Appliance Firewalls for small institutions

– 3 Com Office Connect, Fortinet, Sonic Wall

• Big Iron for large institutions– Check Point, Juniper


Defense in Depth – cont.

Layer 2 – Blocking Attacks at the Host Host Intrusion Prevention Systems

• Spybot TeaTimer, Symantec AV & IPS– Blocks un-authorized application loading – AV IPS use behavior patterns not static patterns

Personal Firewalls• Comodo Firewall / IPS, ZoneAlarm

– Same as hardware firewalls, allows only allowed traffic– Stealth mode hides computer from hacker scans– Egress filtering helps deter “phone home” by Trojans

• XP SP2 aka ICF– ICF overview

» ICF stateful packet filter, “unfriendly” user interface» No egress filtering, no immediate notifaction


Defense in Depth - cont

Windows Vista security features include: Hardened services User Account Control (UAC) Windows Defender (Anti-Spyware) Windows Firewall enhancements Network Access Protection Internet Explorer Protected Mode Phishing Filter BitLocker Drive Encryption Rights management


Vista Enhancements

User Account Controls Enables a user to have a non-administrator

account and still be productive All users operate a lowest possible privileges Vista has a special account that runs in AAM

(admin approval mode)• Means that the user either supplies administrative

credentials or consents (depending on group policy settings) to perform typical admin functions

– EXAMPLE: install a program


Vista Enhancements

Vista Firewall – Improved! (Yeah!!) The Windows Vista firewall will now have the

ability to block outgoing traffic Windows XP only blocked incoming traffic Provides the ability to stop peer-to-peer

connections Provides the ability to stop instant messaging

programs


ICF Screen shot


Comodo Firewall


Windows Vista Firewall

Both inbound and outbound

Authentication and authorization aware

Outbound application-aware filtering is now possible Includes IPSec management Of course, policy-based

administration Great for Peer-to-Peer

control



Layer 2 – Blocking Attacks at the Host Personal Anti-Malware

• Spybot Search and Destroy, Symantec, Microsoft Windows Defender, Sunbelt Counter-Spy, Tenebril SpyCatcher

• Pattern matching for known signatures

Network Access Control – Host Based• Clients of NAC’s the verify configuration and patch level.• Can enforce network policy, quarantine computers that do

not comply with the policy– Bradford Networks, Cisco Clean access, ISS products


SpyBot Normal


SpyBot - Immunize


SpyBot - Advanced


SpyBot - Tools


SpyBot - Tools



Layer 3 – Eliminating Security Vulnerabilities Vulnerability Management and Testing

• Know your systems – are they patched?

Patch Management• Use patch management systems to keep clients current

– WSUS, BigFix

Application Security Testing• Tools from Foundstone and Source Forge can help with

application testing– http://www.foundstone.com/us/resources-free-tools.asp

http://www.foundstone.com/us/resources-free-tools.asp



Layer 3 – Eliminating Security Vulnerabilities SANS Top Vulnerabilities in Windows Systems

– The SANS (SysAdmin, Audit, Network, Security) Inst.

• From the SANS website www.sans.org1)Windows Services

2)Internet Explorer

3)Windows Libraries

4)MS Office and Outlook Express

5)Windows Configuration Weaknesses

http://www.sans.org/



Layer 3 – Eliminating Security Vulnerabilities Acronyms Galore!

• CVE, CPE, CCE, CVSS, OVAL, SCAP, NVD– Common Vulnerabilities and Exposures (CVE)

– Common Platform Enumeration (CPE)

– Common Configuration Enumeration (CCE)

– Common Vulnerability Scoring System (CVSS)

– Open Vulnerability and Assessment Language (OVAL)

– Security Content Automation Protocol SCAP (s Cap)

– National Vulnerability Database

• SCAP – http://nvd.nist.gov• MITRE – http://cve.mitre.org, http://cpe.mitre.org



Top Vulnerabilities in Windows Systems From the SANS website www.sans.org

1) Windows Services• Critical Vulnerabilities were discovered in these services in

2006• Server service (MS06-040, MS06-035)• iRouting and Remote Access Service (MS06-025)• Exchange Service (MS06-019)

• What to do?• Disable Service if possible• Scan for Vulnerabilities• PATCH



Windows Services



From the SANS Website www.sans.org2) Internet Explorer

– Multiple vulnerabilities were discovered in 2006 in IE» Vulnerability in Vector Markup Language – Remote Code

Execution (MS06-055)» Cumulative Security Update for IE (MS06-042)» Vulnerability in Microsoft Jscript – Remote Code Execution

(MS06-023)» Cumulative Security Update in IE (MS06-021, MS06-013,

MS06-004)– How to mitigate

» On XP, install SP2, Upgrade to IE 7» On 2000, NT, keep patches current» Use DropMyRights from MS to lower IE privileges» Check your Broswer Helper Objects (BHO) for spyware» Disable Scripting and ActiveX



Windows IE settings



From the SANS Website www.sans.org3) Windows Libraries

• DLL’s can have buffer overflow vulnerabilities• Vulnerabilties discovered in 2006

– Vulnerability in HTML Help Could allow RCE (MS06-046– Vulnerability in Windows could allow RCE (MS06-043)– Vulnerability in Graphic Rendering Engine (MC06-001, 026)– Vulnerability in Embedded Web Fonts (MS06-002)

• Patch your system and scan for vulnerabitlites• Use least privileges where possible• Filter IP ports 135-139, 445, • Use an IPS and IDS




From the SANS Website www.sans.org4) MS Office and Outlook Express

– Attack vectors are email attachments, website documents, and news servers

– Several critical vulnerabilities in 2006» PowerPoint RCE – (CVE-2006-5296» Word Malformed Stack Vulnerability (MS06-060)» Office and PowerPoint MSO.DLL (MS06-062, 048)» Excel Multiple RCE (MS06-059)» PowerPoint Malformed Record (MS06-058)» Visio, Works and Project VBA (MS06-047)» Office Malformed String Parsing (MS06-038)» Excel Malformed SELECTION record (MS06-037)» Word Malformed Object Pointer )MS06-027)» Outlook and Exchange TNEF Decoding (MS06-003)




MS Office and Outlook continued• Check your systems with a vulnerability scanner

– MSBSA, Windows Update,

• Mitigate by patching, disable IE feature of opening Office documents

• Configure Outlook with enhanced security• Use IPS and IDS



From the SANS Website www.sans.org5) Windows configuration Weaknesses

– Weak passwords on accounts or network shares» LAN Manager hashes are weak and should be replaced

with stronger more current hash techniques» Default configuration for servers and applications can open

machines to password guessing.» MSDE ships with SA account set with a blank password. » Several worms take advantage of this, Voyager, Alpha

Force, SQL Spida use known weak configurations to spread

– Enforce a strong password policy– Prevent Windows from storing the LM hash in AD or the SAM– Disable NULL shares and restrict anonymous access




Frequent Mistakes made in Windows Security• www.sans.org/reading_room/whitepapers/windows/1016.php

Allowing Null Sessions• http://www.microsoft.com/technet/security/bulletin/ms99-055.mspx• http://www.microsoft.com/technet/security/prodtech/

windows2000/secwin2k/swin2k06.mspx Weak Lockout Policies

• http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspx Weak Account Policies Multiple Trust relationships Multiple Domain admin accounts Audit logs turned off Automatic Updates turned off


Password Policies



Common Password Myths 1. Password hashes are safe using NTLMv22. Hr^y*Pwe(1#$ is a great password

1. [email protected] is better

3. 14 Characters is the Optimal length1. Passwords over 14 characters have an invalid hash stored

4. M1ke100 is a good password5. Eventually any password can be cracked6. Passwords should be changed every 60 days7. You should never write down your password8. Passwords can’t include spaces

mailto:[email protected]



Frequent Mistakes made in Windows Security Updates turned off

• SANS, Gartner Group, others report that 80-90% of attacks are from known vulnerabilities.

• SQL Slammer, W32.Slammer in 2005 attacked a known vulnerability that had a patch available 6 months before it hit.

Need to patch systems and keep them current• Does require a patch management strategy• Will require time• Payoff is less downtime



Patching Windows What to Patch

• OS• Applications

Types of Patches from MS• Hotfix, Update, Critical Update, Security Patch,

Update Roll-up, Service Pack


How to Patch Develop a Plan

• Hardware and Software Inventory• Patch management Policy & Process• Include a notification process• Track & check patch level• Download and test patches prior to deployment• Deploy patches• Audit workstations for compliance



How to Patch Tools from Microsoft (MS)

• Analysis tool from MS, Microsoft Baseline Security Analyzer (MBSA)

• Online update services – – Microsoft Update, Windows Update, or Download Center

• Push / Management tools– WSUS server, SMS server, Group Policies



How to Patch Tools from Microsoft

• Microsoft Update is different than Windows Update– MU updates all MS products not just windows

» Office updates, Server product patches

• WSUS is updated SUS server– New version coming out, WSUS 3.0 in Beta now– www.microsoft.com/wsus– Target client installs, selective client patching, uninstall

options


http://www.microsoft.com/wsus

http://www.microsoft.com/wsus


How to Patch Commercial Tools

• Altiris Patch Management– www.altiris.com

• BigFix Patch Manager– www.bigfix.com

• Ecora Patch Manager– www.ecora.com

• LanDesk Patch Management– www.landesk.com


http://www.altiris.com/

http://www.bigfix.com/

http://www.ecora.com/


Testing and Verification Patch systems are not perfect, you need to test after

patches have been applied Tools

• Microsoft Baseline Security Analyzer 2.1 (Beta)– Used for Vista and below

• MBSA 2.0– Used for Windows 2000 + SP3 and later– Office XP and later– Exchange 2000 and later

• MBSA 1.2.1– Office 200– Exchange 5.0 and 5.5




Hardening Windows Hardening techniques

• Limit services– Verify what services are needed – On servers, usually these can be disable

» IIS (unless needed), Fax service, Indexing service, Messenger, Telnet, Remote Access, QoS RSVP, others.

– On workstations disable unless needed» Fax service, Indexing service, messenger, Telnet,

others» Enable firewall




• Limit applications– Verify what applications are needed, many can be

removed without impacting functionality– On servers, usually you can remove the following

» Outlook Express, IIS, Media Player, Journal viewer, Games, POSIX, OS2 subsystem

– On workstations, usually you can remove the same– Limit what applications end users can run– Do not allow end users to install applications




• Limit protocols– Verify what protocols are needed for your network

» On servers normally TCP/IP is sufficient

» On workstations normally TCP/IP is all that is needed

» Remove IPX/SPX, NetBios,

• Limit Network devices– Bluetooth (disable unless needed)

– Wireless (disable unless needed)

– Firewire (disable unless needed)



Hardening Windows Firewalls

• Host based firewalls– Server options

» Windows 2003 SP1 firewall option– Workstation options

» XP SP2, ZoneAlarm, Comodo Firewall» 85 listed on Download.com

– Vista» Much better default settings in Vista



Hardening Windows Intrusion Protection Systems

• IPS vs IDS– Why detect when you can protect?– Signature vs Anomoly

• IPS can be host or network based• IPS Host options

– EEye BLINK, Prevx Home

• IDS host options – SFC System File Check from MS (can be spoofed)– LanGuard

• IPS Network options– Forescout, Tipping Point, McAfee, ISS are options



Layer 4 – Safely supporting authorized Users ID and Access Management

• Verify that the right people are allowed to use a system• Two factor authentication

– Pass phrase and token

• Three factor authentication– Pass phrase, token, biometric

File Encryption• Encrypt your sensitive data and your backups!• USB drive encryption• Backup encryption• BitLocker in Vista – the start of HD encryption



Layer 4 – Safely supporting authorized Users Secure Communication

• SSL, encrypted tunnels, VPN’s– SSL firewalls are hot / popular

» Easy for the end user to use

PKI – Public Key Infrastructure• Digital certificates, public key cryptography, Certificate

Authorities• Big topic, lots of details here but adds a significant layer of

security for the end users


EDUCAUSE Security Task Force Effective Practices

The EP group is a sub-group of the Security Task Force Meets bi-weekly on Fridays via phone conference Active Security staff in the Higher Ed space Develops Effective Practices drawn from real world

staff Website link is:

• https://wiki.internet2.edu/confluence/display/secguide/Effective+IT+Security+Practices+and+Solutions+Guide

https://wiki.internet2.edu/confluence/display/secguide/Effective+IT+Security+Practices+and+Solutions+Guide

https://wiki.internet2.edu/confluence/display/secguide/Effective+IT+Security+Practices+and+Solutions+Guide



Current List of EP’s Access Control Systems and Methodology (IT Security Guide) Applications and System Development (IT Security Guide) Awareness and Training (IT Security Guide) Business Continuity and Disaster Recovery (IT Security Guide) Compliance and Legal Issues (IT Security Guide) Confidential Data Handling Blueprint (IT Security Guide) Data Incident Notification Toolkit (IT Security Guide) Incident Handling and Forensics (IT Security Guide) Operations Security (IT Security Guide) Personnel Security (IT Security Guide) Physical and Environmental Security (IT Security Guide) Responsible Use and Ethics (IT Security Guide) Risk Management (IT Security Guide) Security Architecture and Models (IT Security Guide) Security Policies and Procedures (IT Security Guide) Telecommunications and Network Security (IT Security Guide)

https://wiki.internet2.edu/confluence/display/secguide/Access+Control+Systems+and+Methodology

https://wiki.internet2.edu/confluence/display/secguide/Applications+and+System+Development

https://wiki.internet2.edu/confluence/display/secguide/Awareness+and+Training

https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+and+Disaster+Recovery

https://wiki.internet2.edu/confluence/display/secguide/Compliance+and+Legal+Issues

https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint

https://wiki.internet2.edu/confluence/display/secguide/Data+Incident+Notification+Toolkit

https://wiki.internet2.edu/confluence/display/secguide/Incident+Handling+and+Forensics

https://wiki.internet2.edu/confluence/display/secguide/Operations+Security

https://wiki.internet2.edu/confluence/display/secguide/Personnel+Security

https://wiki.internet2.edu/confluence/display/secguide/Physical+and+Environmental+Security

https://wiki.internet2.edu/confluence/display/secguide/Responsible+Use+and+Ethics

https://wiki.internet2.edu/confluence/display/secguide/Risk+Management

https://wiki.internet2.edu/confluence/display/secguide/Security+Architecture+and+Models

https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures

https://wiki.internet2.edu/confluence/display/secguide/Telecommunications+and+Network+Security



My top picks from the list: Confidential Data Handling Blueprint Awareness and Training Data Incident Notification Toolkit Incident Handling and Forensics Risk Management Security Policies and Procedures


SDL

Service Hardening

Code Scanning

Default configuration

Code Integrity

IE –protected mode/anti-phishing

Windows Defender

Bi-directional Firewall

IPSEC improvements

Network Access Protection (NAP)

Threat and Vulnerability

Mitigation

Fundamentals

Identify and Access

ControlUser Account Control

Plug and Play Smartcards

Simplified Logon architecture

Bitlocker

RMS Client

What about Vista?Vista Security Enhancements


Tools that Work!

Tools and Techniques Open Source Tools for Networks testing

• MetaSploit– Framework for testing exploits

• Nessus– Scanning tool to check for vulnerabilities

• Ethereal– Packet sniffer

Microsoft Tools for Desktop Security• MBSA 2.0.1

– MBSA 2.1 in Beta (Vista version)• ISS Lockdown Tool• Microsoft Defender (AV / Malware detector)• http://www.microsoft.com/technet/security/default.mspx• http://www.microsoft.com/protect/default.mspx

http://www.microsoft.com/technet/security/default.mspx

http://www.microsoft.com/protect/default.mspx


Tools that Work!

Tools and Techniques Other Tools for Desktop Security

• Comodo Firewall (better than Zone Alarm)• Spybot Tea Timer

– No cost IPS (though you can donate)

• Secunia PSI (Personal Software Inspector)– Beta software that checks for current versions of

software installed on your PC– https://psi.secunia.com/

• MS Defender– MS anti-spyware / malware tool (Free)


Tools that Work!

Tools and Techniques Rootkit revealers

• VICE – freeware– http://www.rootkit.com/vault/fuzen_op/vice.zip

• Patchfinder - freeware– http://www.invisiblethings.org

• Rootkit Revealer - freeware– http://www.sysinternals.com/Files/RootkitRevealer.zip

• Blacklight – commercial from F-secure– http://www.f-secure.com/

• Tripwire – file based integrity checking– http://www.tripwire.com– Not as useful anymore due to memory based rootkits


Demos

Tools and Techniques Available Tools

• Spybot Tea Timer– DEMO

• Comodo Firewall– DEMO


Windows Security Resources

Resources• www.educause.edu/security• www.microsoft.com/technet/security• www.sans.org/reading_room/whitepapers/windows• www.securityfriday.com• www.cert.org• www.hackingexposed• www.incidents.org• http://www.foundstone.com/us/resources-free-tools.asp

http://www.educause.edu/security

http://www.educause.edu/security

http://www.microsoft.com/technet/security



http://www.sans.org/reading_room/whitepapers/windows

http://www.securityfriday.com/

http://www.cert.org/

http://www.hackingexposed/

http://www.incidents.org/

http://www.foundstone.com/us/resources-free-tools.asp


Wrap up and Q & A

Fundamental security practice? DEFENSE in DEPTH

• 4 Walls or layers of security Wall 1 – Block attacks at the Network (IPS and IDS) Wall 2 – Block attacks at the Host (IPS and IDS)

• Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware Wall 3 – Eliminating Security Vulnerabilities (SANS Top 20) Wall 4 - Safely supporting Authorized Users Perform a Risk Assessment Don’t re-invent the wheel, ask questions, look online

Questions? Comments? Tips? My Email: [email protected] 513-487-3269 http://www.huc.edu

Documents

March 18th, 2008EDUCAUSE MWR 2008 - John Bruggeman EDUCAUSE Midwest Regional 2008 Effective Windows Desktop Security John Bruggeman, [email protected]