Document

Download Report

Transcript Document

Sinergija09 :: Akcija!!!

• •

Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !

Kompanija Microsoft Software je u saradnji sa partnerskom firmom Network Security Solutions rešila da pokloni svim zainteresovanim firmama učesnicama Sinergije09, bez obzira na broj prijavljenih posetilaca konferencije, po jednu besplatnu osnovnu procenu bezbednosti web sajta.

Prijave do 30. Novembra http://www.netsec.rs

Protecting Windows and Web applications

Dejan Levaja, MVP [Enterprise Security] Network Security Solutions http://www.netsec.rs

Agenda

• • • • • • • Server 2008 Security mehnizmi - podsetnik IIS 7 security Patching Auditing Scanning and Assessment Hardening Security Testing

Security and protection

• • Security improvements to the kernel – Kernel patch protection for 64-bit editions – Security improvements to the heap manager – – Security improvements to the registry Code integrity – – Data Execution Prevention Address Space Layout Randomization – Windows Resource Protection Security improvements to Windows services – Windows service hardening – Session 0 isolation – Named pipe hardening • • • • • Windows Integrity Mechanism Windows Internet Explorer 7/8 – Protected mode – Extended Validation SSL certificates Extensible logon architecture Cryptography Next Generation Authentication protocol improvements – Windows implementation of the Kerberos – protocol TLS/SSL cryptographic enhancements

Threats and vulnerabilities mitigation

• • • • • • • Server role security configuration Server Core installation option User Account Control Web Server (IIS) role Backup and recovery Windows Firewall with Advanced Security Network Policy and Access Services role – – Network Policy Server Network Access Protection – Routing and Remote Access

Secure configuration assessment and management

• • • • • • Security auditing Server security policy management Security Configuration Wizard Authorization Manager Group Policy Active Directory Domain Services – – Fine-grained password policies Auditing

Identity and access control

• • • • • • • • • • • • • • Smart cards 802.1X authenticated wired and wireless access Backup and restore of stored user names and passwords Credential Security Service Provider and single sign-on for Terminal Services logon Previous logon information Access control user interface TrustedInstaller SID Restricted SIDs checks File system namespace modifications Default permissions changes Changes to tokens Integrity levels Icacls command-line tool OwnerRights SID • • • • • BitLocker Drive Encryption Encrypting File System Active Directory Certificate Services – Cryptography Next Generation – – Online Certificate Status Protocol Network Device Enrollment Service – – Web enrollment Policy settings – – Restricted enrollment agent Enterprise PKI snap-in Active Directory Domain Services Active Directory Rights Management Service

IIS 7 Security

• • • • • • Ranjivosti – IIS 7 – (2006. – Sinergija09) => 2 Apache 2.2 (2006. – Sinergija09) => 17 – – IIS 6 (2003. – Sinergija09) => 8 Apache 2.0 (2003. – Sinergija09) => 41 Authentication IP and Domain Restriction URL Authorization Request Filtering Certificates

IIS 7 Security - Authentication

• • Izmene – IUSR_machine_name => IUSR – IUSR_machine_name postoji samo ako postoji i FTP – – IUSR radi u bezbednosnom kontekstu worker procesa (network service) IUSR nema lozinku – – IUSR_WPG => IIS_IUSR Najvažnije: IUSR i IIS_IUSR su Built-In nalozi –> svuda isti SID -> moguć XCOPY /O Authentication – – Anonymous Basic – – Windows Forms – Certificates* – – Digest ASP.NET Impersonation

IIS 7 Security - IP and Domain Restriction

• • • Ograničenje pristupa po IP adresi Ograničenje pristupa po imenu domena (zahteva reversni DNS lookup!) – Demo Dynamic IP Restrictions Extension (beta) – http://www.iis.net/extensions/DynamicIPRestrictions

IIS 7 Security - URL Authorization

• • NTFS vs URL autorizacija – xcopy /o Demo – Scenario • Isključimo Anon Auth, uključimo Basic • kreiramo grupu • • kreiramo korisnike i dodamo ih u grupu obrišemo defaultni URL Authorization Rule i kreiramo novi – Sve ovo može i iz CMD-a (appcmd.exe)!

Request Filtering – simple WAF

• URLScan => Request Filtering – Filter Double-Encoded Requests • ‘\’ => %5c – ‘% ‘=> %25 » %255c • scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ (IIS 5.0) – Filter High Bit Characters – – Filter Based on File Extensions Filter Based on Request Limits – Filter by Verbs – Filter Based on URL Sequences • /../ , – Filter Out Hidden Segments

Certificates

• • SSL – – – – – Demo one to many mapping one to one mapping AD mapping CLR, delta CRL Next, next, finish

Patching

• • • • • Windows Update – <= Vista – OS + IE Microsoft Update – Windows Update + MS Office + Exchange + SQL + ...

– http://www.update.microsoft.com/ Automatic Update Patch Tuesday ( and Exploit Wednesday  ) Microsoft Catalog – http://catalog.update.microsoft.com

Patching

• WSUS 3.0

– Sastavni deo Servera 2008 (KB 940518) – SUS == OS; WSUS == OS + ostalo – – WSUS = IIS 7+ SQL (WID) + Microsoft Update GPO ili Registry • GPO => Computer Configuration\Administrative Templates\Windows Components\Windows Upddate\Specify Intranet Microsoft Update Service Location • Registry => KLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ –

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

» »

/v WUServer /t REG_SZ /d http://wsus.netsec.local

/v WUStatusServer /t REG_SZ /d http://wsus.netsec.local

Auditing

• • • • Auditing in Server 2008 – 4GB vs >petabyte – n*1000 evt/sec vs n*10000 evt/sec – – granular audit policy (GAP) GPO (R2), AuditPol.exe

EventViewer – XML eventquery.vbs wevtutil.exe

Demo: Failed logons – wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt

Scanning

• MBSA – Security Updates, Administrative Vulnerabilities, IIS, SQL, Desktop apps – WSUS i MBSA – – GUI, cmd (mbsacli.exe) Online, Offline – – wsusscn2.cab http://go.microsoft.com/fwlink/?LinkId=76054 Visio Connector (2003,2007) – – %userprofile%\SecurityScans Demo: • mbsacli.exe /target 192.168.0.10 /u administrator /p P@ssw0rd • mbsacli.exe /n SQL+IIS /catalog c:\wsusscan2.cab /nd

Assessment

• • • • MSAT – MSAT is designed to help you identify and address security risks in your IT environment.

– http://technet.microsoft.com/en-us/security/cc185712.aspx

Preko 200 pitanja baziranih na ISO 27001 Infrastructure, Applications, Operations, People Demo

Hardening

• • • Windows Firewall with Advanced Security IPSec => Server and Domain Isolation – R2 or not R2 ? – Demo Security Configuration Wizard – Demo

Security Testing

• • Vulnerability Assessment – popisuje ranjivosti – MBSA, ...

Penetration Testing – dokazuje da je moguće iskoristiti pronađene ranjivosti – browser + proxy, metasploit, ...

• •

Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !

Prijave do 30. Novembra http://www.netsec.rs

Molimo vas da popunite ankete!

Please fill out the evaluations!

Vaše mišljenje čini osnovu sledeće Sinergije i omogućava nam da oblikujemo sadržaj u skladu sa Vašim željama.

Your opinion forms the next Sinergija conference, and it provides us with the means to shape its content to best suit you.

Svi posetioci koji popune ankete ulaze u nagradnu igru All attendees that fill out the evaluations are taking part in drawing of special prizes

Hvala!

[email protected]

Microsoft Community Serbia http://www.msforge.net