Steve Riley Senior Program Manager Security Business and Technology Unit [email protected] Common security screw-ups we have known and seen Security

Steve RileySteve RileySenior Program ManagerSenior Program ManagerSecurity Business and Technology UnitSecurity Business and Technology Unit

[email protected]@microsoft.com

Common security screw-Common security screw-ups we have known and ups we have known and seenseen

Security MythsSecurity Myths

© 2005 Microsoft Corporation, All Rights Reserved

Our network is secure,

right?Oh sure, Don’t worry. We have

several firewalls


The TruthThe Truth

Your network is not secure!

At best it is protected

Protected networks are well designed networks

with savvy users


Fundamental TradeoffFundamental Tradeoff

Secure

Usable Cheap

You get to pick any two!You get to pick any two!


AgendaAgenda

10 (more or less) things people do 10 (more or less) things people do that do not improve securitythat do not improve security


Use Some Hardening GuideUse Some Hardening Guide


Rolling Back The GuideRolling Back The Guide


Roles Your System Can Fill NowRoles Your System Can Fill Now


HidingHiding

Rename Administrator accountRename Administrator account““Keeps bad guys away from admin Keeps bad guys away from admin account”account”

Turn off SSID broadcastTurn off SSID broadcast““Ensure nobody finds your AP”Ensure nobody finds your AP”

Do not display last logged on userDo not display last logged on user““Never volunteer the username”Never volunteer the username”

Change your web/ftp bannerChange your web/ftp banner

They’ll find you!Security by

obscurity is weak defense


Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

Make Tons Of Security Changes; Make Tons Of Security Changes; Without A PolicyWithout A PolicyMake Tons Of Security ChangesMake Tons Of Security Changes

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

The “new math” syndrome:

1+1 = [0,-1)


Get Evaluated Based On Number Get Evaluated Based On Number of Tweaks?of Tweaks?

No problems, make harmless onesNo problems, make harmless onesHKLM\Software\Microsoft\Windows NT\CurrentVersion\DisableHackers=1 (REG_DWORD)HKLM\Wetware\Users\SocialEngineering\Enabled=no (REG_SZ)HKCU\Wetware\Users\CurrentUser\PickGoodPassword=1 (REG_BINARY)HKLM\Hardware\CurrentSystem\FullyPatched=yes (REG_SZ)HKLM\Software\AllowBufferOverflows=no (REG_SZ)


Better Yet: Get PromotedBetter Yet: Get Promoted

Sales

Engineering

IT

Tweaks

3rd Quarter ROI Contribution By Area


We Need High SecurityWe Need High Security

Is that what you want?


Consider your needs firstConsider your needs first


Detection Gone BadDetection Gone Bad

Detection Detection Does Not Does Not Always Always WorkWork

Account LockoutAccount Lockout

Account Account Lockout Is Lockout Is

Attack Attack DetectionDetection


Permanent Account LockoutPermanent Account LockoutTermination Notice

Employee Name: Employee ID:

Employee Address: Employee SSN:

Manager Name: Manager ID:

Department:

Termination Effective Date:

Benefits Continuation:

Yes No

Severance Package:

Yes No

Termination Reason: Opening unsolicited e-mail

Sending spam Emanating Viruses Port scanning Attempted unauthorized

access Surfing porn Installing shareware Possession of hacking

tools

Refusal to abide by security policy

Sending unsolicited e-mail

Allowing kids to use company computer to do homework

Disabling virus scanner Running P2P file sharing Unauthorized file/web

serving Annoying the Sysadmin


Physical SecurityPhysical Security

Software Cannot Replace Physical Security

Prevent shutdown without logging onPrevent shutdown without logging onUSB Thumb drivesUSB Thumb drivesRecovery console restrictionsRecovery console restrictionsRestrict undock without logonRestrict undock without logon


Put Things In The Right PlacePut Things In The Right Place


Follow The LeaderFollow The Leader

“Security Expert”: (n) Someone who is quoted in the press

Certified……or just certifiable?


Audit everythingAudit everything

““We need to know exactly what’s We need to know exactly what’s going on”going on”

Will you be able to tell?Will you be able to tell?That’s the tasty one…


Password CrackingPassword Cracking


The real password problemThe real password problem

Hey, I want to authenticateHey, I want to authenticate

Response –E(Hash, nonce)Response –E(Hash, nonce)

OK, here is a nonce, tell me who you areOK, here is a nonce, tell me who you are

ClientClientServerServer

If the bad guys have your hashes you

have already lost!


The Real Password ProblemThe Real Password Problem

Admin password

Admin.R386W


Evolution of the ProblemEvolution of the Problem


What We Tell UsersWhat We Tell Users


What Users SeeWhat Users See


Vendors Can Fix User Security Vendors Can Fix User Security ProblemsProblems

The real problem is uneducated users

Properly configured users are your

strongest defense!

Jesper Johansson

Make mockup of additional GPOs for a user, to be delivered in Windows 2010 Implant EditionPossibilities:Raise intelligence = yesOpenEmailWorms = noSurf porn = only after hours


Configuring UsersConfiguring Users


SSH/HTTP/HTTPS is great. We SSH/HTTP/HTTPS is great. We only have to open one port in only have to open one port in the firewallthe firewall

Network and Transport Layers80/tcp(UFBP)

443/tcp(SUFBP)

The Firewall

UFBP

SUFBP

SSH

VPN

Remote

Control


Network Security ClaimsNetwork Security Claims

Our network/software/hardware isOur network/software/hardware isSecureSecureImpenetrableImpenetrableUnbreakableUnbreakable


Network Security ClaimsNetwork Security Claims


NewsflashNewsflash

Security is Security is hard!hard!

There is no There is no easy fixeasy fix


The mythsThe myths1.1. Security guides make your system secureSecurity guides make your system secure2.2. If we hide the bad guys won’t find usIf we hide the bad guys won’t find us3.3. The more tweaks the betterThe more tweaks the better4.4. All environments should follow the advice in All environments should follow the advice in

<insert guide here><insert guide here>5.5. High security is an end goal for all environmentsHigh security is an end goal for all environments6.6. Security tweaks can fix physical security Security tweaks can fix physical security

problemsproblems7.7. The lemming security model - always follow The lemming security model - always follow

expert recommendationsexpert recommendations8.8. We need to audit We need to audit everythingeverything9.9. Password cracking is our biggest problemPassword cracking is our biggest problem10.10. Security tweaks will stop worms and virusesSecurity tweaks will stop worms and viruses11.11. Encrypted attack traffic is much better than clear-Encrypted attack traffic is much better than clear-

text attack traffictext attack traffic


For more informationFor more information

Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!

Order online:Order online:http://www.awprofeshttp://www.awprofessional.com/title/0321sional.com/title/0321336437336437Use promo codeUse promo codeJJSR6437JJSR6437

Steve RileySteve [email protected]@microsoft.com

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Documents

Steve Riley Senior Program Manager Security Business and Technology Unit [email protected] Common security screw-ups we have known and seen Security