Upload
dkaya
View
890
Download
4
Tags:
Embed Size (px)
DESCRIPTION
This is my presentation which I have made at Microsoft Days Bulgaria, Kempinski Hotel 15.04.2009.
Citation preview
IT Professionals
IT ProfessionalsKempinski Hotel Zografski Sofia
IT Professionals
April 12, 2023 2
Windows Server 2008 Security Improvements
Deniz KayaMicrosoft, Cisco, Ironport, Mile2 Instructor atMCT, MCSE, CCSI, CCSP, CCNP, ICSI, ICSP, CPTS
IT Professionals IT Professionals
• Windows Firewall with Advanced Security• Server and Domain Isolation• Server Core• Windows Service Hardening• Read-Only Domain Controllers• Fine-grained Password Policy• Network Access Protection
April 12, 2023 3
Agenda
IT Professionals IT ProfessionalsWindows Firewall with Advanced Security
Combined firewall and IPsec management– New management tools – Windows Firewall with Advanced Security MMC
snap-in – Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent– Specify security requirements such as
authentication and encryption– Specify Active Directory computer
or user groups
Outbound filtering– Enterprise management feature –
not for consumers
Simplified protection policyreduces management overhead
IT Professionals IT Professionals
Windows Firewall w/ Advanced Security
Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
IT Professionals IT Professionals Server & Domain Isolation
Domain IsolationProtect managed computers from unmanaged
or rogue computers and users
Protect specific high-value servers and dataServer Isolation
IT Professionals IT ProfessionalsIsolation Solution Details
Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy:
– Domain membership is required to access trusted resources.– Expands the use of supportive tools like Microsoft Systems Management Server (SMS) 2003 or
Windows Server® Update Service (WSUS).
Authentication is based on machine and user credentials:– Kerberos, X.509 certificates, NTLM version 2 (NTLMv2), NAP health certificates
Policies are enforced at the network layer by IPsec:– Uses IPsec transport mode for end-to-end security and Network Address Translation (NAT)
traversal– Packets encapsulated with Encapsulating Security Payload (ESP) or Authentication Header (AH) for
authentication and integrity – Optionally, encryption of highly sensitive network traffic
Policy Management Authentication Enforcement
IT Professionals IT Professionals
Demo
Windows Firewall with Advanced Security Server & Domain Isolation
IT Professionals IT ProfessionalsServer Core
Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
Windows Server Core
GUI, CLR, Shell, IE, OE, etc.
WSv
DHCP
DNS
File Print
Only a subset of the executable files and DLLs installedNo GUI interface installed9 available Server RolesCan be managed with remote tools
AD DS
AD LDS
Media
IIS 7
IT Professionals IT ProfessionalsServer Core and Roles• Windows Server is frequently deployed to support a
single role or a fixed workload– Despite a fixed workload, still have to deploy and service all
of Windows Server– Services not essential to the workload have costs for
servicing, security, and management.• IT Staff and IT Skills are technology role-centric
– Active Directory Administrators don’t usually administer web servers
– Skill sets for SQL Administration are not highly transferable to DHCP administration
IT Professionals IT Professionals
Service Hardening
Windows Service Hardening
• Built-in accounts for easy management– No password management
requirements– LocalSystem
• Very powerful and has most privileges – use cautiously
– LocalService and NetworkService• Greatly reduced privilege set• Network Service uses machine
account for remote authentication
Activeprotection
File system
Registry
Network
IT Professionals IT Professionals
Service Hardening
• Services are attractive targets for malware– Run without user interaction– Number of critical vulnerabilities in services– Large number of services run as “System”– Worms target services
• Sasser, Blaster, CodeRed, Slammer, etc…
IT Professionals IT ProfessionalsProblem: Shared Session 0• Services and user applications for console user run in the same
session (session 0)• Application windows in same session can freely send window
messages to each other.
A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging
IT Professionals IT ProfessionalsSolution: Session 0 Isolation
• No More Share Session 0– Session 0 is assigned exclusively to
services and the session is made non-interactive
– User applications run in session 1 and higher
– Services are isolated from user applications to avoid attacks
14
IT Professionals IT ProfessionalsProblem: Privilege issue• Services automatically gain all privileges of account
they are running in• Services cannot specify set of privileges required• Lack of granular control
over privileges– Services run with unnecessary
high privileges
Local systemService:
Disk Manager
Garbage Collector
Privileges:
Load driver
Shut Down
Back Up
IT Professionals IT ProfessionalsSolution: Running With Least Privilege• Privilege stripping
– Enables a service to run with least privilege
• Use only required privileges– Express required privileges during service configuration
• SeBackupPrivilege, SeRestorePrivilege, etc.• ChangeServiceConfig2 API (sc.exe can be used as well)
– SCM computes union of all hosted service required privileges • Permanently removes unnecessary privileges from process token when service
process starts
– No privileges are added• Target account must support required privileges, e.g. a service in LocalService account
cannot get SeTCBPrivilege
IT Professionals IT ProfessionalsProblem: No Service Isolation
• Services do not have their individual identity– Identity of a service is tied up with account it’s running in– E.g. When Web Server is granted access to database, Time Server also gains
access to the database
`
Web Server
Database
Account:LocalService Account:LocalService
Time Server
IT Professionals IT ProfessionalsSolution: Service Isolation
• Service-specific SID– 1:1 mapping between service name and SID
– Use to ACL objects the service needs to allow access only to service-specific SID• Use ChangeServiceConfig2, sc.exe to control service SID• Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED
• Service-specific SID assigned at start time– When service process starts
• SCM adds service SIDs to process token– S-1-5-80-XXXXX-YYYYY
• SID enabled/disabled when service starts/stops
– Service SIDs are local to the machine
IT Professionals IT Professionals
Network Access Restriction
– Service network restriction are implemented with per-service SIDs
– Server 2008/Vista firewall has been enhanced to support service network restriction
– Services can add firewall rule to specify communication protocol, ports and direction of the traffic• e.g. A service can add a rule to restrict its network access
on TCP port 10000 for outbound communication– Integrated firewall in Vista/Server2008 will block all
other type of network access
19
IT Professionals IT Professionals
Read-Only Domain Controller
Main Office Branch Office
FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation
BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed
RODC
IT Professionals IT ProfessionalsSo how can we deploy a Domain Controller in this environment?!
IT Professionals IT Professionals
RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion
Admin Role Separation
Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC
Passwords not cached by-default
No replication from RODC to Full-DC
1-Way Replication
Attack on RODC does not propagate to the AD
RO
D C
Read-Only Domain Controller
IT Professionals IT ProfessionalsRODC – Attacker “experience”
Let’s intercept Domain Admin credentials sent
to this RODC
With Admin role separation, the Domain Admin
doesn’t need to log-in to me.
Let’s steal this RODC
By default I do not have any secrets
cached.I do not hold any
custom app specific attributes either.
Let’s tamper data on this
RODC and use its identity
I have a Read-Only database. Also, no
other DC in the enterprise
replicates data from me.
Damn!
Attacker RODC
RO
D C
IT Professionals IT ProfessionalsRead-Only Domain ControllerHow it works?
2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated
1.Logon request sent to RODC
1
2
34
5
6
6
7
7
BranchHUBFull DC RODC
IT Professionals IT ProfessionalsRead-Only Domain ControllerRecommended Deployment Models
• No accounts cached (default)– Pro: Most secure, still provides fast authentication and
policy processing– Con: No offline access for anyone
• Most accounts cached– Pro: Ease of password management. Manageability
improvements of RODC and not security. – Con: More passwords potentially exposed to RODC
• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and
maximizes security for other– Con: Fine grained administration is new task
IT Professionals IT Professionals
Demo
Read-Only Domain Controllers
IT Professionals IT ProfessionalsFine-Grained Password PoliciesOverview
• Granular administration of password and lockout policies within a domain
• Usage Examples:–Administrators
• Strict setting (passwords expire every 14 days)
–Service accounts• Moderate settings (passwords expire every 31 days, minimum
password length 32 characters)
–Average User• “light” setting (passwords expire every 90 days)
IT Professionals IT ProfessionalsFine-Grained Password PoliciesAt a glance
• Policies can be applied to:–Users–Global security groups
• Does NOT apply to: –Computer objects–Organizational Units
• Multiple policies can be associated with the user, but only one applies
IT Professionals IT Professionals
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 20
Applies To Resultant
PSO = PSO1
Fine-Grained Password PoliciesExample
Precedence = 10
Resultant PSO = PSO1
Applies To
Applies To
IT Professionals IT Professionals
1
RemediationServers
Example: Patch
Using Network Access Protection
RestrictedNetwork
1
WindowsClient
2
2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
3
3 Network Policy Server (NPS) validates against IT-defined health policy
4
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy compliant
5 If policy compliant, client is granted full access to corporate network
Policy compliant
NPSDHCP, VPN
Switch/Router
4
Policy Serverssuch as: Patch, AV
Corporate Network5
Client requests access to network and presents current health state
IT Professionals IT ProfessionalsNAP - Enforcement OptionsEnforcement Healthy Client Unhealthy Client
DHCP Full IP address given, full access Restricted set of routes
VPN (MS and 3rd Party) Full access Restricted VLAN
802.1X Full access Restricted VLAN
IPsec
Can communicate with any trusted peer
Healthy peers reject connection requests from unhealthy systems
Complements layer 2 protectionWorks with existing servers and
infrastructureFlexible isolation
IT Professionals IT Professionals
Accessing the networkX
DHCP
Remediation Server
NPS
May I have a DHCP address?
Here you go.
HealthRegistration
Authority
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.
You don’t get a health certificate. Go fix up.
I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Client
IPsec-based NAP Walk-throughQuarantine
Zone
BoundaryZone
ProtectedZone
IT Professionals IT Professionals
Thank you !