Mark Minasi Minasi.com SIA301 About Mark Programmed large-scale economic simulation models in late 70s and early 80s Over a thousand columns since 1986 in BYTE, Compute!, OS/2 Magazine, OS/2
Download ReportTranscript Mark Minasi Minasi.com SIA301 About Mark Programmed large-scale economic simulation models in late 70s and early 80s Over a thousand columns since 1986 in BYTE, Compute!, OS/2 Magazine, OS/2
Mark Minasi Minasi.com SIA301 About Mark Programmed large-scale economic simulation models in late 70s and early 80s Over a thousand columns since 1986 in BYTE, Compute!, OS/2 Magazine, OS/2 Professional, InfoWorld, ComputerWorld, AI Expert, Windows IT Pro Teaches, writes, consults on PCs & networking full time since 1984 Teach in 22 countries Security consulting since 2001 Directory Services MVP Voted "Favorite Technical Author" four times out of four at CertCities.com 28 books, many bestsellers… About Mark 28 books, including… Question: How many of you do security at your company? Question: How many of you ASKED to do security at your company? What's This Talk All About? Several things Review the fundamentals, but with a fresh "2009 perspective" A chance to help you in the ongoing battle to convince our users that security matters If you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wise Why Security Matters Protecting company assets, of course But the Internet adds a new dynamic Computers are “levers” when it comes to data; when things are good, they’re very good, and when they’re bad, they’re very bad – and get worse quickly! There are also the matters of public security, which is another very good reason to care Twelve Tips You are a risk manager Write a security policy Passwords Authenticate right Stomp Administrator Auditing and logs Nail the services… or the developers Physical security Have A DR Plan Upgrade the carbon units Stay informed Patch! Risk Analysis Security’s a Tradeoff… … like everything else in business You cannot make your system completely secure We accept and absorb risks all the time Security Has A Price IT’s job versus security’s job Many “hardening” techniques will cause software to break Write a Security Policy one on paper, that is We’re talking here about protecting the organization from destruction, so… This only works if management’s on board Must have a written security policy Must have a few items that, well, could cause termination If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work late Good sample policies at http://www.sans.org/resources/policies/ Practical Talk About Passwords “Bad passwords always beat good security” Passwords – the stakes Passwords are it for most of us in terms of identifying ourselves to the network Bad guys just need one account, not all of them Passwords are a carbon-based issue, not a silicon-based issue Again, get the users on board, or it's likely that no password technology will ever work Passwords – the modern facts Passwords are attacked in several ways Shoulder surfing Post-Its They’re yelled across a room Someone steals your password “hashes” and cracks them Someone tries repeatedly to log on with different passwords Note that only the last two are technological A Bit of Technicals on Passwords Computers don't store your password; they convert it to a 128 bit "hash" and store that "Open Sesame" Any of many mathematical processes called a "hash function" 0F725ACD85C6390EE6F218C7D382C552 This is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy) How Bad Guys Get Your Hash Physical access to your system Guessing it But that means trying 2128 possibilities, which is still computationally unlikely – at a million/second, it'd take 1025 years, and even Moore's Law won't crack that for a while Guessing it with a hint… now, that might be possible! Hint Sources Structural limitations on passwords The 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must go Hashes come from human-chosen passwords and humans tend not to create passwords like "6$^^hH-()()()()(7Ghala" Worse yet, many people restrict themselves to personal info or English words This is how the bad guys get passwords! Protecting Your Passwords Get your users to create useful, non-trivial passwords Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasons Avoid complex passwords Train users to avoid simple English words Get rid of LM now. Really… now. Group policies will do it Most systems will not have a compatibility problem, but check NASes and network-attached printers More info in my June 2003 newsletter for more info on my site www.minasi.com Win 6/7 and LM After telling us to rid our networks of LMrelated stuff for ten years, Microsoft took a big step… … Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at all You couldn't create an LM hash with Vista if you wanted to! The Dumbest Passwords I've got to stress this… In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes: A name associated with you or your organization A date associated with you or your organization A dictionary word BTW, just adding a number or a capital adds no more than a few minutes to the time People with these passwords must, sadly, be sterilized 12 Characters? Are You Crazy? I advocate 12 character minimum password length… more length makes up for a "no complexity" requirement Only requires a bit of user education on the "passphrase" (November 2004 newsletter) 12 lowercase letters = 95,428,956,661,682,176 possibilities Try a million a second, it’ll take 300 centuries What, Too Hard? Then try for eight-character passwords, and require them to be at least two words Audit them against English words; the best tools are no longer available, but Cain & Abel can do some of it But never "audit" a user's password unless he/she acknowledges it through the writtendown security policy The Ultimate Password Remember why English word passwords are childishly simple to crack? They weren't 12 years ago As Moore's Law strides on, one day any eightcharacter password, no matter how obscure, will be crackable in an hour or so And then what do we do? Answer: PKI… so put that on your "things to figure out in the next couple of years" list Watch Your Authentication Protocols Why They Matter When you log on, your system decides underthe-hood how to authenticate with a domain controller – either LM NTLM NTLM v2 Kerberos Even in an AD world, the top three get used… and you really want to avoid that Use a Protocol That Protects Hashes NTLMV2 is pretty secure… but by default Windows falls back to LM & NTLM, not NTLMv2 You can change this in your domain group policy (brand-new 2008/R2 domains don't need this) Tell your system to only fall back to NTLMv2 More details in my Kerberos talk tomorrow at 8:30 here, SIA 401 "Cracking Open Kerberos" Handling Admin Accounts and Eliminating "Administrator" Creating Good Admin Passwords without having to stress the users Having someone crack one of our (administrator) passwords would be bad One answer: set up different password policies for members of the Domain Administrators group from the policy for non-admins Possible in 2008 and 2008 R2 with "password settings objects" Needs 2008 DFL, good tool to utilize it at www.joeware.net Stomping Administrator the account, that is Local “Administrator” account is unaccountable Rename it Prohibit insiders from using it also (Otherwise, auditing is pointless) Give people’s accounts the admin privileges that they need … no more Then assume that people using Administrator have no good in mind – make using it a firing offense! No real need for Administrator acct any more Stomping Administrator Randomize the admin password net user administrator /domain /random>nul It doesn’t hurt to rename the account in any case If using 2003 or 2008, you can create a smart card for the Administrator account force the Administrator account to only be able to log on with the card – ctrl-alt-del won’t work lock up the card and disperse the PIN Don’t Spend All Day As Admin Tempting to be logged in all day as an administrator Workaround: runas command, although truthfully it's a pain Works best when shift-right-clicking a menu item But there's a better way… What About UAC? In a sense, it's a "reverse Run As" You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful one People find it annoying… but I really recommend that you keep it in place In silent mode, it essentially automates the "two account switch" trick What About UAC? I know, you hate it, but… Once you understand UAC, it can be very useful, so give it a second look I'm doing an in-depth talk on it Thursday AM here in this room at 8:30 AM and will also cover Windows Integrity Levels Audit Your Network Windows Auditing It's been around forever, but isn't always used Why use it? After-the-fact forensics Helpful in compliance situations (HIPAA, SOX) Treat logs policy-wise the way you treat money accounting records Biggest pain is collecting and archiving the Security logs, as there's one on every workstation and server Auditing and Logs what modern Windows offers Fine-tune who you're auditing with auditusr, which first appeared in XP SP2 and 2003 SP1/R2 – see my August 2005 newsletter In Vista and later, it's called "auditpol" and has different syntax Easily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions" (see chapter 1 of my Vista security book, free download, for examples) Auditing And Logs some fairly big news in Windows auditing in Win 7/R2 More auditable stuff: 9 categories in Vista… … 54 in Windows 7/R2 To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder "Global SACL" or "Global object access auditing" completely changes object auditing Use either group policies or auditpol to enable "Reason for access" reporting Securing Services Securing Services Whenever there's a headline-grabbing security attack, there's a compromised service behind it There have traditionally been three things you can do to reduce services' vulnerabilities Disable the unnecessary ones Minimize the remaining ones' privileges Minimize the remaining ones' permissions XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' security Services, Phase One disable unnecessary ones Much less necessary with Vista/2008 Messenger, clipbook, alerter services gone Other services are isolated in a separate Terminal Services session and so cannot interact with the desktop (Only bad part – causes some pre-Vista print drivers to fail) Services, Phase 2 de-fang the services that you leave running Services run not as you, but as some account – probably System, which is all-powerful Thus, any damage that they can do is limited by the permissions on that account Unfortunately that’s usually System Vista/2008 includes a built-in feature that reduces much of System's power Services, Phase 2 finding out if your devs have been lazy The problem is that not every developer exploits it Way to find out: open an elevated command prompt and type sc qprivs servicename If you don't get a list of privileges, that service has not been secured – so yell at the developer! (More info in Chapter 7 of my Vista security book) Services, Phase 3 reducing their power with service isolation "System" has all-encompassing file permissions Vista/2008 take it a step further with "service isolation" Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything else Test: "sc qsidtype servicename" – you want to see "SERVICE_SID_TYPE: RESTRICTED" If not… whack the developers! (Hey, if you've got Win 6/7, you've already paid for this!) Physical Security Physical Security The idea is "if I can touch it, I can hurt it" The top item on many people's security lists… but not always a practical one to accomplish Servers are often protected… … but what about in branch offices? And how can we (realistically) secure workstations – particularly laptops? And beyond workstations, what about the other things that carry copies of our data? Physical Security The problem: Once upon a time, we could lock our data behind locks and walls We still can in some places, and when we can, we must But what about when we can't? (Example: booting XP with a 2K CD) Physical Security using Windows 6 and 7: three technologies Device installation group policies: "no removable devices allowed on this system" BitLocker: encrypts drives, securing laptops branch office servers BitLocker To Go: encrypts removable devices like USB sticks Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted" Physical Security and RODCs protecting your Active Directory In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCs By default, RODCs contain copies of the AD… … but no passwords Thus, it's no good if the WAN link's down, but if stolen, it's got nothing we care about Physical Security and RODCs why's it good? RODCs let you "loosen" security a bit You can put as many or as few passwords onto an RODC as you like And if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership Combine it with Bitlocker and you're better protected Disaster Recovery / Business Continuity Have A Disaster Plan the problem Every organization needs DR and BC plans "What if we're hacked?" "What if there's a fire?" "What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?" DR plans can be a pain; here's a few thoughts Have A Plan have simple (but explicit) plans After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server? These should be step by step plans These must be tested beforehand This is not a small job, but it’s necessary and even constitutes training materials for new hires Make DR a Bit Easier w/2008 DR plans are a good idea…but can be so hard to do Answer: some sort of image backup/"bare metal restore" tool Many of the big vendors have them But 2008 includes one: CompletePC backup See my newsletters 64 and 66 for specifics Upgrade the Carbon Units no technology can protect us from attachments Kournikova worked because users didn’t know better and because we “protect” them from extensions The weasels only win when users invite them in Don’t yell, but…user training is the answer Just 15 minutes of basics about mail and attachments goes a long way Stay Informed and Stay Paranoid www.microsoft.com/security for patches etc. www.sans.org www.securityfocus.com the security pages from whatever apps you rely upon Simplify Patching If "physical" is #1 on many lists, this is probably #2 or #3 WSUS, of course But don't forget your other technologies And then there's patching images If, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free) Thanks! I hope this was useful Contact e-mail: [email protected] Free newsletter and seminar information at www.minasi.com Please join me at 8:30 tomorrow and Thursday for talks on Kerberos and then UAC/WIL Don't forget the evals and enjoy the rest of the show!!! Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.