微淘公眾平臺推廣營銷方法詳解

SecuringWindowsNetworksSecurityAdviceFromTheFrontLinePresentedbyRobertHensing–PSSSecurityIncidentResponseSpecialist微快車微信營銷

第1頁AgendaRevealingHackerPersonasTopSecurityMistakesEveryoneSeemsToMakeSecuringWindowsNetworksStayingSecureSecureWindowsInitiativeSecurityImprovementsinXPServicePack2第2頁RevealingHackerPersonas第3頁Overview–RevealingHackersPersonasAutomatedvs.TargetedAttacksRevealingHackerPersonasLameSkilledSophisticatedWhyYOUWereSelectedandHowYouGot0wn3d第4頁HackerPersonasAutomatedAttacks“Spreaders”or“Scan’nSploitTools”or“auto-rooters”WormsThatDropBotsorTrojansTargetedAttacks0-dayExploitsCustomAttacksthatExploitWeaknessofYourInternetPresence第5頁HackerPersonasLame-~75%ofallintrusionsMotive:WantsyourstorageandbandwidthMethod:Useofspreaders,bots,wellknownexploitsAbilities:LimitedhighlevellanguageabilityPayload:UsuallyFTPservers,backdoorsdisguisedasa‘clever’servicename“TCP/IP”serviceor“SystemSecurity”service“MicrosoftISAServerCommonFiles”service第6頁HackerPersonasSkilled-~24%ofallintrusions?Motive:Wantstoexploreyournetworkanduseyourstorageandbandwidth,wantstoavoiddiscoveryasmuchaspossible.Method:CustomizedintrusionbasedonidentifiedvulnerabilitiesformultipleoperatingsystemsorapplicationsAbilities:AdvancedHLL,someASMPayload:FTPservers,keyloggers,backdoors,sniffers,passworddumpers第7頁HackerPersonasSophisticated-<1%ofallintrusions?Motive:Wantsyourmoneyoryoursecret/confidentialdataMethod:Cancustomizeintrusionbasedonanynumberofidentifiedvulnerabilitiesforavarietyofoperatingsystemsandapplications,possiblyusing0-dayexploitsAbilities:AdvancedHLL,AdvancedASMPayload:Rootkits,asinglebackdoorDLL,extortionletter!第8頁HackerPersonasWhyyouwereselectedandhowyougot0wn3d...Oddsaregreatyouwere0wn3dbyalamerYouwereeasilyidentifiedasaWindowshostthroughasimpleport-scan(nofirewall)Youareonabigfatpipe(possiblyhosted)Youhaveweakpasswordsormissingsecuritypatchesduetomissingorineffectivesecuritypolicy第9頁DemonstrationWindowsRootkit–HackerDefender第10頁TopSecurityMistakesEveryoneSeemsToMake第11頁TopSecurityMistakesWeakornon-existentpasswordpolicyNoauditpolicySporadicsecuritypatchpolicyPatchingtheOS,butnottheappsWeakornon-existentfirewallpolicyNoegressfilteringNoknowledgeofsecurelybuildinganewboxwhichleadstoHacked?Rebuild!HackedAgain!?第12頁HowToEndTheCycleofViolenceInstallfromslipstreamedsourceDon’thaveone?Makeone!Patchorenableahostbasedfirewall(orboth)andthenconnecttothenetworkDon’tusethepreviousadminpasswordIncludingtheSQLSApasswordDon’tsharelocaladminpasswordsacrossOSinstallationsLeadstoexploitonce,runeverywherePatchtheapplications(SQL,IIS,Exchangeetc.)第13頁SecuringWindowsNetworks第14頁Overview–SecuringWindowsNetworksSystemAdministratorPersonasAnexampleofwhatnottodoThreats&Countermeasures–PruningTheLowHangingFruit第15頁SystemAdminPersonasDefaultSkilledSophisticated第16頁SystemAdminPersonasDefaultPutsserversrightontheInternetwithnofirewallRunsacoupleservicepacksbehind(N-2)anddoesn’tknowhowtokeepuptodatewithsecuritypatchesNopasswordpolicyNoauditpolicyAlldefaultconfigurationsandsettings(alldefaults,allthetime)第17頁SystemAdminPersonasSkilledUsesInternetIP’s,buthasrouterACL’sLatestOSSP,allOScriticalupdates,hasn’tpatchedtheapplicationsinawhileifatall6characterpasswordswithaccountlockoutsOnlyauditslogoneventsandmonitorsforaccountlockoutsbycheckingeventlogsperiodicallySuspiciousofdefaultsettingsPerformedsomeOShardeningbyhand–didn’thardentheapplicationsthough第18頁SystemAdminPersonasSophisticatedUsesafirewallwithNATandingress/egressfilteringUsesanIDS/IPSintheDMZnetworkEnsurescriticalsecuritypatchestestedanddeployedin24hourswithrollbackplan12characterpasswords,notsharedanywhere,noaccountlockout,mayuse2-factorauthNAuditseverything,archivesauditlogsdailyHardenedOSusingsecuritytemplates/grouppolicy,hardenedapplications第19頁WhatNotToDo...ConfigureyoursystemwithanInternetroutableIPaddressRunmultipleapplications/servicesononeboxActiveDirectory,IIS,SQL,Exchange,PCAnywhere,3rdpartysoftwareAvoidinstallingpatchesDon’thaveapasswordpolicyWhataretheoddsthatsomeonewouldguess‘666’ismyadminpassword?第20頁Ifyoudothis,here’swhatthehackerssee...第21頁Threats–LowHangingFruit

OverviewNULLSessionEnumerationPassword/AccountLockoutAttacksPasswordHashAttacksRemoteCodeExecutionVulnerabilitiesPhysicalAttacksUnauthorizedNetworkAccessTheVPN“firewallbypass”Server第22頁Threat-NULLSessionEnumerationUnderstandingthe‘NULL’userNetworkconnection,usuallyusingNetBIOSTCP139inwhichnocredentialshavebeenpassed.Networktokengetscreatedontheserverfortheclient,‘Everyone’SIDgetsaddedtothetokenTokencannowenumeratesensitiveinformationusingtheNet*API’sthe‘Everyone’SIDhaspermissionsto!CountermeasuresRestrictAnonymous=2BlockaccesstoTCP139/445Stopserverservice第23頁Threat–PasswordAttacks/AccountLockoutAttacksAnyservicesthatexposesauthNprotocolsareatriskforpasswordguessingattacksNetBIOS,SMB,RDP,IIS,FTPetc.CountermeasuresUsestrongpasswordsinsteadofanaccountlockoutpolicy(whichonlyprotectsweakpasswords)Educateadministratorsandusersonhowtocreatestrongpasswords. Blockaccesstoportsthatallowauthenticationfromunauthorizednetworks(i.e.theInternet)withafirewallorIPSecportfilteringpolicyShutdownun-neededservices(Serverservice,FTPserviceetc.)第24頁Threat–PasswordHashAttacksOnlineattacksDumpingpasswordhashesfromLSASSwhiletheoperatingsystemisrunningPwdump*.exe,L0phtCrack5CountermeasureRequire2-factorauthenticationPreventmaliciouscodefromrunningincontextofadministratororSYSTEMSincethisattackrequireselevatedprivileges,anystepstakentocounterthiscanbeun-donebythecoderunningwiththeseelevatedprivilegesArrivingatthispointmeansyoursecurityposturehasfailedelsewhereandyouhaveothersecurityissuestodealwith第25頁Threat–PasswordHashAttacksManIntheMiddleAttacksSniffingshared-secretauthenticationexchangesbasedonauserspasswordbetweenclient/server(LM,NTLMv2,Kerberos)EveryoneseemstothinkKerberossolvedtheMITMpassword-crackingattack!Itdidnot,pertheKerberosv5RFC:"Passwordguessing"attacksarenotsolvedbyKerberos.Ifauserchoosesapoorpassword,itispossibleforanattackertosuccessfullymountanofflinedictionaryattackbyrepeatedlyattemptingtodecrypt,withsuccessiveentriesfromadictionary,messagesobtainedwhichareencryptedunderakeyderivedfromtheuser'spassword.第26頁Threat–PasswordHashAttacksManIntheMiddleAttacksToolsavailableforLM/NTLMandKerberosv5ScoopLM/BeatLM/Kerbcrack/LC5SecurityFridaydemonstratedNTLMv2atBlackhatona16-nodeBeowolfclusterin!Allresearchersagreethesolutionisstrongpasswords!CountermeasuresUse2-factorauthenticationonWindowsandlaternetworksAllowstheuseofthePKINITKerberosextensionwhichreplacespasswordswithpublic/privatekeysforinitialTGTatlogonUsestrong10characterorgreaterpasswordsUseIPSecESPtoencryptnetworkallnetworktrafficUse802.1xauthenticationtokeeprogueusersoffyournetwork第27頁Threat–PasswordHashAttacksAssumepasswordhasheswilleventuallybeobtainedallowingBrute-forceattacksDictionaryattacksHybridattacks(useadictionarywordthenbrute-forceafewchars)Pre-computationattacks(rainbowtables)–thelatestcraze...L0phtCrack5utilizesallthesemethodsforcrackinghashesCountermeasuresDon’tworryaboutyourhashesbeingstolen–makethemimmunetoreversinginanyreasonableamountoftime!Use10characterorstrongercomplexpasswordsOrbetteryetpass-phrases!NTbasedoperatingsystemssupport128characterpass-phrasesChangethemevery60daysorless.Minimumtimebeforepasswordcanbechanged1dayNumberofpreviouspasswordsremembered:atleast24第28頁Threat–PasswordHashAttacks667891011PasswordLength60DayPasswordsDatafromMicrosoftcalculationsbasedonPhillipeOchslin’salgorithmswitha1TerabyteRainbowCrackdatabase(researchthatisthebasisforthenewattack).第29頁Threat–PasswordHashAttacks第30頁Threat-RemoteCodeExecutionRCEvulnerabilitiesinexposednetworkservicesallowmaliciousattackerstoruncodeoftheirchoiceonaremotesystemStack&HeapoverflowsIntegerunder/overflowsFormatstringvulnerabilitiesCountermeasuresDisableunnecessaryservicesBlockunnecessaryportsInstallallcriticalsecurityupdateswithin24hoursWritesecurecode.

Runcriticalservicesusingthenewbuilt-inlow-privilegedaccountsCompileC++codewiththeVC7compiler/GSswitchUsebehavioralblockingsoftwareSanaSecurityProductsUseIntrusionPreventionSystems第31頁Threat–PhysicalAttacksAssumetheworst–physicaltheftofmachineCountermeasuresSYSKEYinmode2or3Keystoredinyourhead(mode2)Keystoredonafloppy(mode3)Protectspasswordhasheswith128bitsymmetricencryptionEithermodeprevents‘Nordahl’boot-diskattackAlsopreventstheDSRestoremodestyleattacksEFSCanbeusedtoencryptsensitiveinformation第32頁Threat–UnauthorizedNetworkAccessAppliestobothwiredandwirelessnetworksUnauthorizeduserconnectsorassociateswithnetworkandreceivesIPaddressStartsscanning,enumeratingandhackingCountermeasureUse802.1xtoauthenticatenetworkclientsbeforeallowingthemtousethenetworkPort-basedauthentication(requiressupportinghardwareinfrastructure)第33頁Threat–VPNServersVPNserversusuallyallowusersun-filteredaccesstothecorporateintranetUserscontaminatetheintranetwithmalwarethey’vecollectedwhilesurfingtheInternet(worms,etc.)CountermeasureEmployanetworkquarantinesolutionQuarantinesVPNusersinaDMZnetworkwhilemachineischeckedforsecuritypolicycomplianceAftermachinechecks,packetsareroutedIfmachinefailscheck,connectionisdropped第34頁Countermeasures-SummaryThevastmajorityofsecuritythreatscanbefullymitigatedbydoingtwothingswell:PasswordsSecurityupdatesSecurityshouldnotbe‘boltedon’Designsecurityintothesolutionfromthebeginning第35頁MicrosoftSolutionsforSecurityReviewthenewSecurityGuidanceCenter

/security/guidance/default.mspxWindowsSecurityHardeningGuide

/technet/security/prodtech/win/win2khg/default.mspxWindowsSolutionforSecuringWindowsServer

/technet/security/prodtech/win/secwin2k/default.mspx

WindowsServerSecurityGuide

/fwlink/?LinkId=14846

CoversenvironmentsrunningWin9xandlater!ThisisourbestsolutionforsecuringWindowsnetworks!第36頁WindowsServerSecurityGuideThemeGroupPolicycanbeusedtoautomatetheapplicationofsecurityhardeningandthreatcountermeasuresthroughtheuseofpre-definedsecuritytemplatesappliedtoGPO’sAutomated–policyappliedasmachinesjointhedomain/movedintoorganizationalunitsTheWindowsandWindowsServerSolutionsforSecuritycomewithpre-configuredreadytodeploytemplatesObviouslyyoushouldtestthembeforedeployingtheminaproductionenvironmentTheyWILLbreaksomething第37頁WindowsServerSecurityGuideProvides3differentsecuritylevelsfortheenterpriseLegacyClient(CompatiblewithWin9x–XP)EnterpriseClient(Compatiblewith&XPonly)HighSecurityClient(Compatiblewith&XPonly)第38頁第39頁DemonstrationSecuringWindowsServersusingGroupPolicy第40頁StayingSecure第41頁Overview–StayingSecureAwarenessSecurityAlertNotificationServicesVulnerabilityAssessmentRespondingtoSecurityEventsPatchWarfare–Thursday,Tutorial6IncidentResponse–Thursday,Tutorial6第42頁StayingSecureSecurityAlertNotificationServiceGete-mailalertsofMicrosoftsecuritybulletinsforallMicrosoftproductsPlain-texte-mail,PGPsignedwiththeMSRCPGPkey/security/security_bulletins/alerts2.asp

第43頁StayingSecureVulnerabilityAssessmentMicrosoftBaselineSecurityAnalyzer1.2LocalorRemoteVulnerability&PatchscannerScansforWindows,IE,IIS,SQL,MSDE,Exchange,Office,Commerce,Biztalk,SNA,andHISvulnerabilities/patches.English,German,FrenchorJapanesebuilds!第44頁StayingSecureMBSAPro’sandCon’sPro’sFreeGreatproductcoverageAgent-lessCon’sRequiresAuthenticationwithremotemachineandtheRemoteRegistryandServerServicesSlowwhenscanninglargenetworksNoeasywaytoaggregateXMLoutput第45頁StayingSecure3rdPartyvulnerabilityassessmentsoftwareISSInternetScanner–SystemScannerFoundstoneFoundScanMuchmorein-depththanMBSA1.2第46頁SecureWindowsInitiative第47頁SecureWindowsInitiativeMicrosoft’sNewSecurityCultureStartedwithBillGatesTrustworthyComputingMemoLeadtoSD3+CSecureByDesign,SecureByDefault,SecureinDeployment+CommunicationsSecureWindowsInitiativeWindowsServerfirstproducttoresultfromSWI,makesuseofmanyAttackSurfaceReductions(ASR’s)第48頁SecurebyDefault60%lessattacksurfaceareabydefaultcomparedtoWindowsNT4.0SP3ServicesoffbydefaultServicesrunatlowerprivilegeCodereviewsIISre-architectureThreatmodels$200MinvestmentSecurebyDesignCommunicationsSecurebyDesignCodereviewsIISre-architectureThreatmodels$200MinvestmentSecureinDeploymentConfigurationautomationIdentitymanagementMonitoringinfrastructurePrescriptiveguidanceCommunityinvestmentArchitecturewebcastsWritingSecure

Code2.0SecureWindowsInitiativeSD3+C第49頁SecureWindowsInitiativeDoesSWIwork?Let’shavealook...MS03-007,vulnerabilityexploitedthroughIIS5.0+WebDAVWS/IIS6notaffectedbecause:IIS6notinstalledbydefaultIfitwasinstalled,WebDAVdisabledbydefaultIfitwasenabled,IIS6rejectslongURL’sbydefaultIfitdidn’trejectlongURL’s,BOwouldoccurinlowprivilegeprocessnotaprocessrunningasSYSTEM第50頁SecureWindowsInitiativeArethereotherexamples?MS04-011,fixes14WindowsvulnerabilitiesOfthese14vulnerabilitiestheLSASSandPCTvulnerabilitiesarecriticalonWindowsandexploitswereinthewilddaysafterthepatchwasreleased!第51頁SecureWindowsInitiativeThesevulnerabilitieswereratedas‘Low’onWindowsServer–why?AttackSurfaceReductions(ASR’s)asaresultofSWIPCTisnotenabledbydefault!LSASSvulnerabilitynotremotelyexploitablebydefault!第52頁SecureWindowsInitiativeWantmore?Comingsoon:SecureServerRolesforWindowsServerTaskbasedsecuritywizardtofurtherautomatehardeningWSserverrolesWindowsXPServicePack2Themostsecureconsumeroperatingsystemtodate!第53頁SecurityImprovementsinXPServicePack2第54頁SecurityImprovementsinXPSP2OverviewNetworkProtectionTechnologiesMemoryProtectionTechnologiesSaferE-MailSaferBrowsingWindowsInstaller3.0第55頁NetworkProtectionTechnologiesAlerter&Messenger–GONE!(Okay,disabled)UniversalPlug&PlayalsodisabledbydefaultBluetoothnetworkstackincludedbydefaultDisabledunlessWHQLBluetoothdeviceispresent第56頁NetworkProtectionTechnologiesDCOM–Lockeddownbydefault!Previously,nowayforadministratorstoenforcemachine-wideaccesspolicyforallDCOMapplicationsXPhasover150DCOMserversOOB!ManyDCOMapplicationshaveweak“Launch”and“Access”permissionsthatallowanonymousremoteactivation/access!Administratorshadnowaytocentrallymanage/overridethesesettings!第57頁NetworkProtectionTechnologiesDCOMSolution:Machine-wideaccesscheckperformedbeforeanyserver-specificaccesschecksareperformed.StartingwithXPSP2,onlyadministratorscanremotelylaunch/activateDCOMservers!Everyoneisgrantedlocallaunch,activationandcallpermissions第58頁NetworkProtectionTechnologiesRPC–Lockeddownbydefault(RPCInterfaceRestriction)PreviouslyRPCinterfaceswerewideopenforanonymousaccessSP2addsRestrictRemoteClientssettingandenablesitbydefaultRequiresallremoteRPCclientstoauthenticateTheEPMnowrequiresAuthNMustsetEnableAuthEpResolutionto1onclientstogettheEPMworkingagain.第59頁NetworkProtectionTechnologiesWindowsFirewall(thesoftwareformerlyknownasICF)BoottimesecurityOnbydefaultforallinterfaces,globalconfiguration(allinterfacescansharesameconfiguration)LocalsubnetrestrictionCommandlinesupport(vianetsh)forscriptomaticconfiguration(thinklogonscripts)“Onwithnoexceptions”ExceptionListMultipleProfilesRPCSupportRestoreDefaultsUnattendedSetupforOEM’sMulticast/BroadcastsupportNewandimprovedGroupPolicyconfiguration(viaSystem.adm)第60頁MemoryProtectionTechnologiesIntroducingDataExecutionProtection(NX)Bufferoverflowsusuallyplace‘shellcode’onthestackorintheheapandcauseexecutiontojumptothislocationNXmarksareasofthestack/heapasnon-executablepreventingthismal-codefromrunningUsermodeappsthatattempttoruncodewillAVKernelmodedriversthatattempttoruncodewillbluescreenSupportedonAMD64,IA64andforthcomingx64IntelCPU’sforboth32bitand64bitWindowsXP第61頁MemoryProtectionTechnologies/GSStackbasedbufferoverflowprotectionPlaces‘canary’valueonthestackbefore/afterstackallocationsValueischeckedwhenvaluesarereadfromthestacktomakesurethestackhasn’tbeenoverwrittenIfcanaryvaluehaschanged,processcrashesvs.allowingcodetoexecute第62頁SaferE-MailOutlookExpresswillreadalle-mailasplain-textbydefaultBlocksHTMLe-mailexploits“Don’tdownloadexternalHTMLcontentIfyouchosetorenderHTMLe-mail,externalHTMLisnotrendered/downloadedBlocks“webbugs”etc.AESAPI(AttachmentExecutionService)Appsnolongerhavetorolltheirownattachmenthandlingcode(canbesharedbyIM,e-mailetc)第63頁SaferBrowsingInternetExplorerAdd-OnManagement/CrashProtectionBinaryBehaviorslockeddownnowOptionappearsineachzoneforconfiguringBindToObjectmitigationActiveXsecuritymodelnowappliedtoURLbindingMicrosoftJavaVMcanbedisabledperzoneLocalMachineZonelockdownAlllocalfiles/contentprocessedbyIEruninLMZNoActiveXobjectsallowedScriptssettoPromptBinaryBehaviors–disallowedNoJava!第64頁SaferBrowsingInternetExplorerImprovedMIMEhandling4differentchecksperformed(fileextension,Content-Type/DispositionfromheaderandMIMEsniff)Objectcaching/ScopeObjectslosescopewhenbrowsingtoadifferentdomain/FQDNSitescannolongeraccesscachedobjectsfromothersitesPOPUPBLOCKER!!!!!“Nevertrustcontent