Internet Security Best Practices

1
Internet Security Best Practices

• Scott Schnoll
• MCT, MCSE, MCSA, MCP, MS MVPPresident -
  NOBUGProduct Support Manager - TNT Software

2
Agenda

• Basic Overview of Problem
• The Attack Surface
• Best Practices for Better Security
• Security Resources

3
Non-Agenda ?

• Firewall and port settings
• A list of known ways IIS has been compromised
• Detailed settings for every component such as
  IPSec, Certificates, etc.
• How to completely protect against any possible
  attack

4
Basic Overview of Problem

• Physical Security
• The moment you network with any system that is
  not under your complete control you are
  vulnerable
• The Internet is basically hundreds of millions of
  systems outside of your control

5
Basic Overview of Problem

• Almost half of information technology
  professionals believe there will be a major
  Internet attack on US businesses in the next
  year, an event for which they believe
  corporations are unprepared, according to a
  recent survey.
• -- ZDNet, July 25, 2002

6
Security Threats Matrix
Natural Disasters
Human Threats
Malicious
Non-Malicious
Outsiders Hackers Criminals Competitors Government
s Cyber-terror
Insiders Disgruntled or Former Employees
Stuff Happens Forgotten Passwords Lost Encryption
Keys Accidental Deletion No/Bad Back-Ups
Flood Fire Earthquake Hurricane
7
The Attack Surface

• What is an Attack Surface?

Weak Passwords
Open Ports
Open File Shares
Systems too complex
Unknowns
People
Un-patched Web Server
Unused Services Left On
Excessive privileges
No Auditing
No Policies
8
The Attack Surface

• What is an Attack Surface?

Port Scanners
Viruses
Password Cracking
Trojan Horses
Unknowns
People
Denial of Service
Network Spoofing
Packet Sniffing
Poisons (Packets, DNS, etc.)
Worms
9
The Attack Surface

• Reducing the Attack Surface
• Get Secure
• Reduce the Attack Surface
• Patch
• Harden
• Stay Secure
• Maintain secure infrastructure
• Patches
• Updates
• Upgrades
• Read, Research, Results

10
Number 25Create and Maintain a Security Policy

• Security policies must be updated continuously
• Most typical reasons for changes are
• Changes in technologies, e.g. wireless LAN
• New well-known vulnerabilities
• Security breaches experienced internally
• Those affected by the security policy should
  participate in the development or at least review
  the policy
• Define who maintains the security policy, who
  designs solutions for abiding by it, who
  implements it and who enforces it

11
Number 24Dissemination And Enforcement Of A
Security Policy

• Make sure employees know the relevant security
  policies as soon as theyre hired
• The security policy should be readily available
  to all employees at any time
• Ensure communication of any changes in the
  security policy
• Ensure continuous awareness of the policies
• Executive sponsorship of the security policy is
  critical.
• Enforcement - clarify authority, responsibility
  and consequences for breach of policy
• Make sure that employees understand their role in
  assisting and supporting the security policy

12
Number 23Learn the 10 Immutable Laws of Patch
Management

• Law 1 Security Patches are a Fact of Life.
• Law 2 It Does No Good to Patch a System That
  Was Never Secure to Begin With.
• Law 3 There is No Patch for Bad Judgment.
• Law 4 You Cant Patch What You Dont Know You
  Have.
• Law 5 The Most Effective Patch is The One You
  Dont Have to Apply.
• Law 6 A Service Pack Covers a Multitude of
  Patches.
• Law 7 All Patches Are Not Created Equal.
• Law 8 Never Base Your Patching Decision on
  Whether Youve Seen Exploit Code
  Unless Youve Seen Exploit Code.
• Law 9 Everyone Has a Patch Strategy, Whether
  They Know It or Not.
• Law 10 Patch Management is Really Risk
  Management.

13
Number 22Keep all Systems Updated

• Patches are issued for good reasons
• Always test before deploying
• Automation Tools
• Monitoring/Alerting
• Data Collection/Archiving
• Software Update Services Corporate Windows
  Update
• HfNetChk weird name, great tool!http//www.micr
  osoft.com/technet/security/tools/tools/hfnetchk.as
  p

14
Number 21Learn Microsofts Privacy Framework
PD3 Communications

• Privacy training for all teams
• Privacy analysis on features components
• Privacy settings linked to group policy

Privacy by Design
Privacy by Default
Privacy in Deployment
Communications
15
Number 20Assess Value and Risks to Value

• All assets have value
• All assets have security requirements
• Determine known threats to assets
• Calculate exposure
• Implement security measures to reduce exposure
  every possible
• Implement risk management plan

16
Number 19Protect Everything

• Information/Data
• Hosts
• Applications
• Network Devices
• Network Services
• Passwords
• Physical Security

17
Number 18Understand Potential Threats/Attacks

• Denial of Service (DoS)
• Spoofing
• Privilege Elevation
• Repudiation
• Replay Attacks
• Viruses/Trojans/Worms
• Disclosure of Information
• Sabotage/Tampering

18
Number 17Insiders are just as good/bad as
Outsiders

• Biggest threat to computers and their data are
  PEOPLE
• Ignorance
• Maliciousness
• Inventory and Document Systems
• Hardware Software
• Network Devices
• Permissions

19
Number 16Establish Point of Contact Structure

• Define PoC in all sites
• Establish information sharing policy
• Consider including law enforcement
• Consider creating Computer Security Incident
  Handling Teams
• Maintain internal information flow
• Issue necessary press releases

20
Number 15Enable the Three As

• Auditing
• Access Control
• Authentication

21
Number 14Hardening the Network

• Use IPSec everywhere possible
• Authentication
• Data integrity
• Confidentiality
• Intrusion Detection Systems (IDS)
• Intrusion External Breach
• Misuse Internal Breach
• ICSA Labs White Paper
• http//www.icsalabs.com/html/communities/ids/white
  paper/Intrusion1.pdf

22
Number 13Firewalls

• What do they do?
• Packet filtering
• Circuit filtering
• Application filtering
• Stateless v. Stateful
• Which architecture do I use?
• Bastion Host
• DMZ
• Firewalls Wizards Mailing Listhttp//list.nfr.com
  /mailman/listinfo/firewall-wizards

23
Number 12Anti-Virus Software

• Needed for all points of entry into your network
• Do you really know of ALL of the entry points
  into your network?
• Maintain engine and pattern/DAT file updates

24
Number 11Hardening Windows

• Block all traffic to server during installation
  and in pre-production
• Use NTFS and EFS
• Store OS on its own partition
• Lockdown/Tune It
• Disable NetBIOS if not needed
• Install latest Service Packs and updates

25
Number 10Hardening IIS

• Hide IIS Metabase Q321142
• Use Strong Authentication
• Secure OS/Content using CACLS
• Disable Un-used Services
• Remove IISADMNPWD
• Use IIS Security Checklisthttp//www.microsoft.co
  m/technet/security/tools/chklist/iis5chk.asp
• Use IIS Lockdown Wizardhttp//www.microsoft.com/t
  echnet/security/tools/tools/locktool.asp
• Use URLScanhttp//www.microsoft.com/technet/secur
  ity/tools/tools/urlscan.asp

26
Number 9Establish a Security Baseline

• Microsoft Security Baseline Analyzer
  (MSBA)v1.1.1 - http//www.microsoft.com/technet/s
  ecurity/tools/Tools/MBSAhome.asp
• Scans Windows NT 4.0, Windows 2000, Windows XP
  and Windows Server 2003 for security updates for
• Windows
• IIS
• SQL 7.0, SQL 2000, MSDE
• IE 5.01
• Office XP
• Also Scans for
• Weak Passwords
• Unnecessary Services
• IE/OfficeXP/IIS Configuration Weaknesses

27
Number 8Threat Modeling Through Usage Patterns

• You cannot design an optimal security
  configuration without a thorough understanding of
  the usage pattern of a system
• Must include analysis of protocols
• Understanding what is unnecessary is hard
• Use Data Flow Diagrams (DFDs)
• Also called Process Models
• Describes activities that process data
• Shows how data flows through a system
• Shows logical sequence of associations and
  activities

28
Number 7Use Windows Security Templates

• Deployed Using Group Policy
• Account Policies
• Audit Policies
• Default Permissions
• IPSec/PKI Policies
• Security Options
• User Rights Assignment
• Software Restrictions (XP/2003 Only)

29
Number 6Secure Remote Access

• VPN
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• IP Security (IPSec)
• Remote Authentication Dial-In User Service
  (RADIUS)
• Call-Back

30
Number 5Know Biggest Threats to Windows

• Top Windows Vulnerabilities (SANS/FBI)
• IIS
• MDAC Remote Data Services
• SQL Server
• NETBIOS Unprotected Windows Shares
• Anonymous Logon Null Sessions
• LAN Manager Authentication Weak LM Hashing
• Accounts with No/Weak Passwords
• Internet Explorer
• Remote Registry Access
• Windows Scripting Host

31
Number 4Know Biggest Threats to Unix

• Top Unix Vulnerabilities (SANS/FBI)
• RPC
• Apache Web Server
• Secure Shell (SSH)
• SNMP
• FTP
• R-Services Trust Relationships
• Line Printer Daemon (LPD)
• Sendmail
• BIND/DNS
• Accounts with No/Weak Passwords

32
Number 3Fill up Your Toolbox

• Event Viewer
• Performance Monitor/System Monitor
• Network Monitor/Netcap
• Netstat (-o on Windows XP!)
• Tracert
• Ping/Pathping
• NSLookup
• Whois
• DumpBin Q177429
• AuditPol
• SecEdit
• GPResults

33
Number 2Dealing with Compromises

• Remove compromised/infected machine(s) from
  network
• Take an image of machine(s) and try to determine
  how it was compromised
• Check with all software/hardware vendors for new
  vulnerabilities
• Check all log files
• Examine connected computers
• Install clean image after low level format
• Change relevant passwords
• Document what you have learned
• Make an incident response plan

34
Number 1Share this information

• Security is free! (mostly)
• Pass it on
• Security is a GROUP effort

35
What Happens When Microsoft Receives A Report Of
A Vulnerability?

• Acknowledge the report
• Triage-many e-mails are questions that need to be
  redirected to other groups
• If reproducible, a formal investigation is
  opened
• MSRC works with dev to identify vulnerability and
  its fix
• Also works with discoverer to help with fix and
  to keep then updated

36
Microsoft Security Response Center (MSRC)

• https//www.microsoft.com/technet/security/bulleti
  n/alertus.asp
• Monitored 247365
• E-mail secure_at_microsoft.com

37
Security Resources

• Manage Security of Your Windows IIS Web
  Serviceshttp//www.microsoft.com/technet/security
  /bestprac/mcswebbp.asp
• From Blueprint to Fortress A Guide to Securing
  IIS 5.0http//www.microsoft.com/technet/prodtechn
  ol/iis/deploy/depovg/securiis.asp

38
Security Resources

• Microsoft Security Resource Kit
• Contents
• Product Evaluation CDs
• Security Resource CD
• Security Demos
• White Papers
• Case Studies
• Tools
• SUS
• IIS Lockdown
• MBSA

39
Security Resources

• Read Making Your Windows Servers Secure
  http//www.microsoft.com/technet/security/tools/ch
  klist/wsrvsec.asp
• NSA Security Recommendations
• http//nsa2.www.conxion.com/win2k/guides/w2k-14.pd
  f
• Use the IIS Security Planning Toolhttp//www.micr
  osoft.com/downloads/release.asp?ReleaseID24973

40
Security Resources

• Hotfix and Bulletin Search
• http//www.microsoft.com/technet/security/current.
  asp
• Security Bulletin Notification
• http//www.microsoft.com/technet/security/bulletin
  /notify.asp
• Newsgroups
• news//msnews.microsoft.com/microsoft.public.secur
  ity
• Best Practices for Enterprise Security
• http//www.microsoft.com/technet/security/bestprac
  /bpent/bpentsec.asp

41
Security Resources

• Computer Incident Advisory Capability (DoE
  CIAC)http//www.ciac.org/ciac/
• Automated Security By Donn Parker
  http//www.infosecurity.com/
• TruSecurehttp//www.trusecure.com
• Computer Emergency Response Teamhttp//www.cert.o
  rg

42
Security Resources

• Center for Education and Research in Information
  Assurance and Security (CERIUS) Perdue
  Universityhttp//www.cerias.purdue.edu/
• RFC 2196 Site Security Handbookhttp//www.ietf.
  org/rfc/rfc2196.txt
• Strategic Technology Protection Program
  (STPP)http//www.microsoft.com/education/?IDStra
  tegicTech

43
Security Resources

• Security Operations Guide for Win2Khttp//www.mic
  rosoft.com/technet/security/prodtech/windows/windo
  ws2000/staysecure/default.asp
• Server Security Checklistshttp//www.microsoft.co
  m/education/?IDServerSecurity
• Virus Alertshttp//www.microsoft.com/technet/secu
  rity/virus/alerts/
• How to Maintain Windows Securityhttp//www.micros
  oft.com/windows/security/default.mspx
• Microsoft Security Clinic (Course
  2800)http//www.microsoft.com/traincert/syllabi/2
  800Afinal.asp

44
Security Resources

• Windows XP Office XP Securityhttp//www.microso
  ft.com/WindowsXP/officexp/security/
• Internet Security Systems Security
  Centerhttp//www.iss.net/security_center
• NTBugTraqhttp//www.ntbugtraq.com
• Slide Deck Notes Have 65 additional
  security-related links!

45
Security Resources

• Newsgroups
• Microsoft.public.security.
• Microsoft.public..security
• alt.computer.security
• alt.hacker
• alt.security.pgp
• alt.sources.crypto
• comp.lang.java.security
• comp.os.linux.security

46
Questions? Thank You!
Scott Schnoll MCT, MCSE, MCSA, MCP, MS
MVPPresident - NOBUGProduct Support Manager -
TNT Software