12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008/R2, and Windows 7 Change the Game

Tomasz ZukowskiInobits ConsultingSession Code: WSV301

Question:How many of you do security at your company?

Question:How many of you ASKED to do security at your company?

What's This Talk All About?

Several thingsReview the fundamentals, but with a fresh "2009 perspective"A chance to help you in the ongoing battle to convince our users that security mattersIf you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wise

Why Security Matters

Protecting company assets, of courseBut the Internet adds a new dynamicComputers are “levers” when it comes to data; when things are good, they’re very good, and when they’re bad, they’re very bad – and get worse quickly!There are also the matters of public security, which is another very good reason to care

Twelve Tips

You are a risk managerWrite a security policyPasswordsAuthenticate rightStomp AdministratorAuditing and logsNail the services… or the developers

Physical securityHave A DR PlanUpgrade the carbon unitsStay informedPatch!

Risk Analysis

Security’s a Tradeoff…

… like everything else in businessYou cannot make your system completely secureWe accept and absorb risks all the time

Security Has A Price

IT’s job versus security’s jobMany “hardening” techniques will cause software to break

Write a Security Policyone on paper, that is

We’re talking here about protecting the organization from destruction, so…

This only works if management’s on boardMust have a written security policyMust have a few items that, well, could cause termination

If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work lateGood sample policies at http://www.sans.org/resources/policies/

Practical Talk About Passwords“Bad passwords always beat good security”

Passwords – the stakes

Passwords are it for most of us in terms of identifying ourselves to the networkBad guys just need one account, not all of themPasswords are a carbon-based issue, not a silicon-based issueAgain, get the users on board, or it's likely that no password technology will ever work

Passwords – the modern facts

Passwords are attacked in several waysShoulder surfingPost-ItsThey’re yelled across a roomSomeone steals your password “hashes” and cracks themSomeone tries repeatedly to log on with different passwords

Note that only the last two are technological

A Bit of Technicals on PasswordsComputers don't store your password; they convert it to a 128 bit "hash" and store that "Open Sesame"

Any of many mathematical processes called a "hash function"

0F725ACD85C6390EE6F218C7D382C552

This is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy)

How Bad Guys Get Your Hash

Physical access to your systemGuessing it

But that means trying 2128 possibilities, which is still computationally unlikely – at a million/second, it'd take 1025 years, and even Moore's Law won't crack that for a while

Guessing it with a hint… now, that might be possible!

Hint Sources

Structural limitations on passwordsThe 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must goHashes come from human-chosen passwords and humans tend not to create passwords like "6$^^hH-()()()()(7Ghala"Worse yet, many people restrict themselves to personal info or English words

This is how the bad guys get passwords!

Protecting Your Passwords

Get your users to create useful, non-trivial passwordsMandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasonsAvoid complex passwordsTrain users to avoid simple English words

Get rid of LM now. Really… now.Group policies will do itMost systems will not have a compatibility problem, but check NASes and network-attached printers

Win 6/7 and LM

After telling us to rid our networks of LM-related stuff for ten years, Microsoft took

a big step…… Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at allYou couldn't create an LM hash with Vista if you wanted to!

The Dumbest PasswordsI've got to stress this…

In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes:

A name associated with you or your organizationA date associated with you or your organizationA dictionary wordBTW, just adding a number or a capital adds no more than a few minutes to the time

People with these passwords must, sadly, be sterilized

12 Characters? Are You Crazy?

I advocate 12 character minimum password length… more length makes up for a "no complexity" requirementOnly requires a bit of user education on the "passphrase”12 lowercase letters = 95,428,956,661,682,176 possibilitiesTry a million a second, it’ll take 300 centuries

The Ultimate PasswordRemember why English word passwords are childishly simple to crack?They weren't 12 years agoAs Moore's Law strides on, one day any eight-character password, no matter how obscure, will be crackable in an hour or soAnd then what do we do?Answer: PKI… so put that on your "things to figure out in the next couple of years" listWS08 R2 Authentication Mechanism Assurance

Watch Your Authentication Protocols

Why They Matter

When you log on, your system decides under-the-hood how to authenticate with a domain controller – either

LMNTLMNTLM v2Kerberos

Even in an AD world, the top three get used… and you really want to avoid that

What? Not Use Kerberos?

Even in an AD-centric network, you may not get Kerberos

NET USE to an IP addressConnect to a workgroup system on Windows of any versionConnect to a pre-2000 systemFailover from a busy DCBadly-written apps (any apps older than 7 years?)Intranet site not added to "local intranet" zone

Nowadays we really want to de-NTLM our networks as much as possible

Kerberos Logon vs NTLM Logon

How you know you're NTLM-ing:Can't join machines to domainsDon't get group policiesNetmon traces show NTLM, not Kerberos traffic

Tracking this stuff down by hand is a pain, so Windows 7/Server 2008 R2 offer some new group policies

NTLM Restriction Policies

Essentially these new policies let you first track and then block NTLM logonsThere are basically three policies, each with an "audit" and a "block" option:

Incoming NTLM traffic (server tracking)Outgoing NTLM traffic (client tracking)Domain traffic (DC tracking)

Create new logs of source "NTLM," numbers 8001, 8002, 8003, 8004

Handling Admin Accounts and Eliminating "Administrator"

Creating Good Admin Passwordswithout having to stress the users

Having someone crack one of our (administrator) passwords would be badOne answer: set up different password policies for members of the Domain Administrators group from the policy for non-adminsPossible in 2008 and 2008 R2 with "password settings objects"Needs 2008 DFL, good tool to utilize it at www.joeware.net (PSOMgr)

PSOMgr.exe

Stomping Administratorthe account, that is

Local “Administrator” account is unaccountableRename itProhibit insiders from using it also(Otherwise, auditing is pointless)Give people’s accounts the admin privileges that they need … no moreThen assume that people using Administrator have no good in mind – make using it a firing offense!No real need for Administrator acct any more

Stomping Administrator

Randomize the admin passwordnet user administrator /domain /random>nulIt doesn’t hurt to rename the account in any caseIf using 2003 or 2008, you can

create a smart card for the Administrator accountforce the Administrator account to only be able to log on with the card – ctrl-alt-del won’t worklock up the card and disperse the PIN

Don’t Spend All Day As Admin

Tempting to be logged in all day as an administratorWorkaround: runas command, although truthfully it's a painWorks best when shift-right-clicking a menu item

But there's a better way…

What About UAC?In a sense, it's a "reverse Run As"You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful onePeople find it annoying… but I really recommend that you keep it in placeIn silent mode, it essentially automates the "two account switch" trickOnce you understand UAC, it can be very useful, so give it a second look

Audit Your Network

Windows Auditing

It's been around forever, but isn't always usedWhy use it?

After-the-fact forensicsHelpful in compliance situations (HIPAA, SOX)

Treat logs policy-wise the way you treat money accounting recordsBiggest pain is collecting and archiving the Security logs, as there's one on every workstation and server

Auditing and Logswhat modern Windows offers

Fine-tune who you're auditing with auditusr, which first appeared in XP SP2 and 2003 SP1/R2In Vista and later, it's called "auditpol" and has different syntaxEasily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions”

Auditing And Logssome fairly big news in Windows auditing in Win 7/R2

More auditable stuff: 9 categories in Vista…… 54 in Windows 7/R2

To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder

"Global SACL" or "Global object access auditing" completely changes object auditing

Use either group policies or auditpol to enable"Reason for access" reporting

Securing Services

Securing Services

Whenever there's a headline-grabbing security attack, there's a compromised service behind itThere have traditionally been three things you can do to reduce services' vulnerabilities

Disable the unnecessary onesMinimize the remaining ones' privilegesMinimize the remaining ones' permissions

XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' security

Services, Phase Onedisable unnecessary ones

Much less necessary with Vista/2008Messenger, clipbook, alerter services goneOther services are isolated in a separate Terminal Services session and so cannot interact with the desktop(Only bad part – causes some pre-Vista print drivers to fail)

Services, Phase 2 de-fang the services that you leave running

Services run not as you, but as some account – probably System, which is all-powerfulThus, any damage that they can do is limited by the permissions on that accountUnfortunately that’s usually SystemVista/2008 includes a built-in feature that reduces much of System's power

Services, Phase 2 finding out if your devs have been lazy

The problem is that not every developer exploits itWay to find out: open an elevated command prompt and type sc qprivs servicename If you don't get a list of privileges, that service has not been secured – so yell at the developer!

Services, Phase 3reducing their power with service isolation

"System" has all-encompassing file permissionsVista/2008 take it a step further with "service isolation"Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything elseTest: "sc qsidtype servicename" – you want to see "SERVICE_SID_TYPE: RESTRICTED" If not… whack the developers!(Hey, if you've got Win 6/7, you've already paid for this!)

Managed Service AccountsBackground: what problem does this solve?

Services must run under an account, and LocalSystem/LocalService/NetworkService can't always do the jobIIS, Exchange, SQL are some common examplesIn that case, techies need to create accounts to act as service accountsThat works fine, except for the issue of passwords: they need regular changing or services stop working

Managed Service AccountsAnswer: managed service accounts

New class of accountsSorta user accounts, sorta machine accounts (new icon)You:

Create one on the domain"Install" it on the member serverConfigure the service so that it logs on as that account, and from there password updates etc are automatic

Need one account / member

Managed Service AccountsPassword details

240-character passwords createdIgnore group policies about passwords and ignore fine-grained password policiesAutomatically handle password changes every 30 days

Managed Service AccountsRequirements/details

Requires at least one 2008 R2 DC (which means a 2008 R2 schema on the forest)Requires AD Powershell (and therefore AD Web Service) to create accountsLive in their own new folder (not an OU) called "Managed Service Accounts"Servers hosting services that use the accounts must be R2/Win 7

Physical Security

Physical Security

The idea is "if I can touch it, I can hurt it"The top item on many people's security lists… but not always a practical one to accomplish

Servers are often protected…… but what about in branch offices?And how can we (realistically) secure workstations – particularly laptops?And beyond workstations, what about the other things that carry copies of our data?

Physical Securityusing Windows 6 and 7: three technologies

Device installation group policies: "no removable devices allowed on this system"BitLocker: encrypts drives, securing

laptopsbranch office servers

BitLocker To Go: encrypts removable devices like USB sticks

Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"

Physical Security and RODCsprotecting your Active Directory

In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCsBy default, RODCs contain copies of the AD…… but no passwordsThus, it's no good if the WAN link's down, but if stolen, it's got nothing we care about

Physical Security and RODCswhy's it good?

RODCs let you "loosen" security a bitYou can put as many or as few passwords onto an RODC as you likeAnd if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership Combine it with Bitlocker and you're better protected

Disaster Recovery / Business Continuity

Have A Disaster Planthe problem

Every organization needs DR and BC plans"What if we're hacked?""What if there's a fire?""What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?"

DR plans can be a pain; here's a few thoughts

Have A Planhave simple (but explicit) plans

After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server?These should be step by step plansThese must be tested beforehandThis is not a small job, but it’s necessary and even constitutes training materials for new hires

Make DR a Bit Easier w/2008

DR plans are a good idea…but can be so hard to doAnswer: some sort of image backup/"bare metal restore" toolMany of the big vendors have themBut 2008 includes one: CompletePC backup

Upgrade the Carbon Unitsno technology can protect us from attachments

Kournikova worked because users didn’t know better and because we “protect” them from extensionsThe weasels only win when users invite them inDon’t yell, but…user training is the answerJust 15 minutes of basics about mail and attachments goes a long way

Stay Informed and Stay Paranoid

www.microsoft.com/security for patches etc.www.sans.orgwww.securityfocus.comthe security pages from whatever apps you rely upon

Simplify Patching

If "physical" is #1 on many lists, this is probably #2 or #3 WSUS, of courseBut don't forget your other technologiesAnd then there's patching imagesIf, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free)

Related ContentWCL308: Deploying Windows 7 BitLocker in the EnterpriseSIA310: Cybercrime: A Journey to the Dark SideSIA202: Developing a Security Awareness StrategySIA201: Windows 7 Security OverviewSIA302: Security Management - Integrated Enterprise SecuritySIA206: Microsoft Security Intelligence Report

question & answer

www.microsoft.com/teched Sessions On-Demand & Community

http://microsoft.com/technet Resources for IT Professionals

http://microsoft.com/msdn Resources for Developers

www.microsoft.com/learning Microsoft Certification & Training Resources

Resources

www.microsoft.com/learningMicrosoft Certification and Training Resources

Complete a session evaluation and enter to win!

10 pairs of MP3 sunglasses to be won

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.