Dirty-Dozen: Top 12 Issues in Windows 2000 Security - PowerPoint PPT Presentation

About This Presentation
Title:

Dirty-Dozen: Top 12 Issues in Windows 2000 Security

Description:

Title: No Slide Title Author: Vince Bitel Last modified by: smccann Created Date: 7/19/2000 2:04:51 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 32
Provided by: Vince52
Category:

less

Transcript and Presenter's Notes

Title: Dirty-Dozen: Top 12 Issues in Windows 2000 Security


1
Dirty-Dozen Top 12 Issues in Windows 2000
Security
  • Roberta Bragg
  • Security Evangelist
  • Have Computer Will Travel, Inc.

2
Agenda
  • Was the FBI Right?
  • Too Trusting?
  • EFS/ XP/W2K Issues
  • Anonymous Access Exposes Data
  • Preventing Unauthorized Access
  • NTFS Inheritance
  • Dont Give Permissions to User Accounts
  • So many security settings to configure!
  • So many boxes to secure
  • Too Many Administrators
  • Patching Mania
  • Weak Passwords

3
1. Was the FBI Right?
  • Universal Plug-and-Play standard
  • Feature of XP unfortunately flawed
  • Security Bulletin MS01-59
  • Q article - Q315056

4
Whats the Fuss?
  • Buffer overrun attacker controls system
  • Endless download cycle (DoS) possible if
    maliciously configured device host
  • Flooding of third party server (DoS) with bogus
    requests

5
Patch Available
  • Windows XP and Windows 98
  • Or Disable SSDP Discovery Service

6
Configuration to Limit Exposure Q315056
  • Regulate device download based on scope
  • Regulate device description download based on
    Router Hops
  • Port restrictions
  • Delay Mechanisms

7
2. Too Trusting
  • Security Bulletin MS02-001 - Using SID Filtering
    to Prevent Elevation of Privilege Attacks
  • An Administrator of one domain could obtain
    administrative rights in another

8
Domain Trust Relationships
W2K
NT
trusted
NT
trusting
9
To exploit youd have to
  • Be Domain Administrator in the trusted domain
  • NT develop and install custom operating system
    components
  • W2K binary edit of data structures that hold
    SIDHistory mechanism

10
Protecting Security Boundaries
  • No trust
  • NT style trust between domains in separate forest
    SID Filtering
  • Kerberos style trust between domains in forest
    NO!!!!!! Do not apply Sid Filtering
  • Vet, Hire and Audit Trustworthy admins

11
3. EFS/XP/W2K
  • EFS algorithms
  • Is Data Loss Possible?
  • Storage Issues
  • XP specific issues

12
Excellent Encryption Product
  • Symmetric and Asymmetric Encryption
  • W2K File recovery
  • .NET File or key recovery

13
Is Data Loss Possible?
  • Very possible to lose data
  • Disable EFS
  • Implement PKI
  • Deploy EFS

14
Storage Issues
  • Network Storage
  • W2K Not encrypted during transport use IPSec
  • XP use Web Folders files remain encrypted
  • Copy to FAT decrypted
  • W2K/XP backup preserves encryption

15
XP Specific Issues
  • Sharing encrypted files may be dangerous
  • Administrative password reset uncouples
    certificate from user account

16
4. Anonymous Access Exposes Data
  • Anonymous access is accomplished via null domain
    name, account password
  • Necessary for some applications/services

17
5. Preventing Unauthorized Access
  • Windows 2000/XP in domain Kerberos
  • Compatibility dilemma
  • NT NTLM
  • Win9x LM
  • NTLMv2 advantage
  • Prevents sending of LM password hash
  • Available NT, Win9x with AD client installed
  • Registry entry to prevent storage LM password hash

18
(No Transcript)
19
6. NTFS Permissions Inheritance
  • Windows NT - can be cascaded to any level!
  • Windows 2000 - can be blocked at subfolder level.
  • Windows XP unlike W2K can apply defaults to
    upgrade.

20
(No Transcript)
21
7. Dont Give Permissions to User Accounts
  • Add user accounts to Global Groups
  • Add Global Groups to local Groups
  • Assign permissions to local groups
  • W2K native mode use Universal Groups
  • Promotes ease of administration, assurance of
    access removal, clear audit path

22
8. So Many Security Settings to Configure
23
9. So Many Boxes to Secure
  • Develop baselines for classes of boxes
  • Create baseline security templates
  • Apply
  • Security Configuration and Analysis
  • Group Policy
  • Use to audit system compliance with policy

24
10. Too Many Administrators
  • Use Default Groups
  • Server/account/print operator
  • Power User
  • Create groups and assign rights and permissions
  • Question and evaluate any request for
    administrative status
  • Window 2000 Use delegation of authority

25
11. Patching Mania
  • Everyone says to patch your system ?????
  • Windows Update single systems
  • Windows Corporate Update Site
  • http//corporate.windowsupdate.microsoft.com
  • Qchain

26
12. Weak Passwords
  • Many attacks require authenticated access
  • Default Password policy is weak
  • Users need training in creating strong passwords
  • Consider alternatives Biometrics Smart cards

27
What is Microsoft Doing? Trustworthy Computing?
  • Bill Gates speech on trustworthy computing.
  • Month long no-new-code sabbatical.
  • Can perfect code be produced?
  • What will it cost?
  • Whats the track record, really?

28
Stats (www.securityfocus.com)
  • Most vulnerabilities Mandrake Soft Linux with 34
  • 2nd, 3rd, 4th place - three other versions of
    Linux
  • 5th Windows 2000, 2 versions of Solaris tied
    with 24 each

29
www.securityfocus stats
30
Call to Action!
  • Patch and/or Disable UPnP
  • Understand the Meaning of Trust
  • Disable EFS until PKI
  • Restrict Anonymous Access
  • Force NTMv2 where Kerberos wont prevail
  • Protect Key NTFS Permissions
  • AGLP
  • Create Security Baselines
  • Use Group Policy
  • Delegate Authority
  • Patch
  • Use strong authentication

(hold Bills feet to the fire)
31
Questions?
  • Roberta Bragg
  • Security Evangelist
  • Have Computer Will Travel, Inc.
Write a Comment
User Comments (0)
About PowerShow.com