1. SEC403 Network Threat Modeling Jesper M. Johansson, Ph.D. Security Program Manager Security Business Unit Microsoft Corporation jesperjo@microsoft.com

2. Threat Modeling Understanding and communicating the threats to your environment Commonly used in application design Writing Secure Code 2 nd Ed. Can also be applied to networks

3. Network Security Hardening Default OS configuration is acceptable for a trusted network Windows 2000 is very open by default Windows Server 2003 is much more secure Still room for improvement Application hardening is critical Same rules apply as for software Lemma: You cannot design an optimal security configuration without a thorough understanding of the usage pattern of a system

4. Example 1: Windows 2000 IIS is turned on by default All the samples are installed Web printing is turned on Anonymous users can connect Enumerate all shares (including “hidden”) Enumerate all users List administrators Obtain auto admin logon credentials

5. Example 2: SQL Server 2000 Service account typically is Local System Technically not correct, but if you specify anything else, it gets SeTCB Public has execute permission on 1,000+ stored procedures and objects Listens on several different transports Tells anyone what databases are available

6. Example 3: Open Hack IV Four systems Web Server SQL Server Terminal Server VPN Server Well-understood environment Limited Scope Test-bed for new techniques Internet Web SQLTS 80 3389 GRE 1723 3389 1433 Virtual Net VPN

7. Open Hack IV Hardening Windows 2000 Service Pack 3 All patches IPSec restricted all traffic Only known traffic allowed No general traffic Certificate-based (no domain PKI) Unable to run SQL Enterprise Manager and RRAS Manager

8. Open Hack IV Hardening SQL Server hardening SQL 2000 Service Pack 2 Custom, unprivileged service account Restrict access to sprocs and XPs Anonymous web user account Duplicated on SQL Server Account has execute on sprocs No access to the database

9. Lessons Learned Analysis of target environment is absolutely essential Must include analysis of protocols Understanding what is unnecessary is hard Baseline and deltas works well Group policy is a bonus Easy configuration of baseline/deltas Includes IPSec policies Careful smoke-testing needed

10. Applying the lessons - DSR Document Model applications and services Environment dependent Segregate Applications Security requirements Restrict Disable services Close ports Use IPSec or RRAS filters Use different passwords

11. Document Purpose is to communicate what the environment looks like Use well understood modeling techniques Modified Data flow diagrams Threat trees Verbose documentation

12. Looking at Systems with DFDs Graphic representation showing communication between objects Describes activities that process data Shows how data flows through a system Shows logical sequence of associations and activities Sometimes known as a process model We are appropriating and modifying this method

13. Modified Data Flow Diagram Conventions Data Flow

14. Modeling a Network

15. Superimposing the DFD

16. Segregate Segregate systems by application and security requirements Should you trust systems that are not part of your application? Which systems do they trust? What are their security requirements? Less sensitive systems may depend on more sensitive systems More sensitive systems MUST NEVER depend on less sensitive systems

17. Documenting Segments

18. Trust Boundaries Systems and entities you trust are included within your trust boundary Should your trust boundary include databases? It depends Who writes to them? Do you trust those systems? If you trust the systems that write to the database you may still not want to trust the database Is it secure?

19. Trust Boundaries

20. Document the threats Documenting threats to your systems is difficult What kinds of things can go wrong? How can an attacker take advantage of your network? You must think like an attacker What are the juicy bits of data? What do they want to do with your environment? Evaluate chains If item A occurs then item B can occur…

21. Fault Trees Demonstrate logical paths through a system Used to highlight faults in a system Points out relationships between faults Allow us to estimate the interactions between faults

22. Goal: Root the SQL Server Break here by restricting outgoing traffic from web servers Break here by limiting trust environment for service accounts Break here by patching Break here with IIS and SQL lockdown

23. Restrict Policies allow nothing but… Disable unnecessary services Remove users Restrict privileges Turn on security tweaks Remove permissions Set very strong passwords Restrict communications IPSec RRAS filters

24. Conclusion Hardening networks requires understanding the environment Optimal hardening requires deep understanding There is a fundamental tradeoff between security and usability Three-phase approach to network hardening Document Segregate Restrict

25. Ask The Experts Get Your Questions Answered Jesper will be at the Ask The Experts area from 12:30 to 14:30 on July 2

26. Suggested Reading And Resources Visit the Microsoft Press Kiosk today to receive 40% off books purchased from Amazon.com Visit the Microsoft Press Kiosk today to receive 40% off books purchased from Amazon.com Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall The tools you need to put technology to work! TITLE AvailablePrice Today$49.99 Microsoft Windows 2000 Security Technical Reference Writing Secure Code, 2/e Today$49.99

27. Other Resources Tools: Registry Monitor and File Monitor http://www.sysinternals.com For technical information: Security information on Microsoft Produts http://www.microsoft.com/technet/security Windows Server 2003 http://www.microsoft.com/windowsserver2003/ Threats and Countermeasures in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160 MBSA http://www.microsoft.com/technet/security/tools /Tools/mbsahome.asp http://www.microsoft.com/technet/security/tools /Tools/mbsahome.asp Open Hack IV Hardening http://msdn.microsoft.com/library/en- us/dnnetsec/html/openhack.asp http://msdn.microsoft.com/library/en- us/dnnetsec/html/openhack.asp For training and certification questions: Microsoft Training and Certification http://www.microsoft.com/training http://www.microsoft.com/training For Security Guidance And Training Windows 2000 Security Hardening Guide http://www.microsoft.com/technet/security/pr odtech/Windows/Win2kHG.asp http://www.microsoft.com/technet/security/pr odtech/Windows/Win2kHG.asp Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14846 Windows XP Security Guide http://go.microsoft.com/fwlink/?LinkId=14839 Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15159

29. Backup Slides

30. Process Common DFD Symbols A task or set of tasks that must be performed on data Only the process is labeled, not the people or systems that perform them Processes transform data To create a new output To create new knowledge about the input To sort To distribute to different processes Try to keep the number of processes to less than 10 on each diagram Label process with an imperative verb and noun

31. Data store Common DFD Symbols Repository for data Stores are passive objects Could be logical Registry File System Active Directory Or physical File cabinet A data flow to a store means that data is being recorded A data flow from a store means that data is being read Label with a descriptive noun

32. Common DFD Symbols Data being conveyed Indicate direction of flow with an arrow Each data flow is one logical set of data, think of it as some struct Label with a descriptive noun Authentication data ASP source file

33. Common DFD Symbols Data being conveyed Indicate direction of flow with an arrow Each data flow is one logical set of data, think of it as some struct Label with a descriptive noun Authentication data ASP source file

34. Hierarchical Levels Context Diagram - A DFD showing the data flows between the target system and external entities. Describes the boundaries of the system The target system is represented by a single process bubble. Level 0 - A DFD showing the major sub-systems and the data flows between them and to and from the outside world. Level n - A DFD showing the components of one of the processes in the level n-1 diagram A web farm can be exploded in a level 1

35. A simple web server context diagram

36. More Detail: Level 0 DFD

37. Even More Detail: Level 1 DFD

38. Basic Rules External Entities Data flow between external entities is outside the scope of the diagram External entities can only talk to processes Would you let outsiders access your data stores directly? Data flows Flows are unidirectional Flows can fork, if the same data is sent to two different processes or stores. A fork in a data flow means that exactly the same data goes to two different processes or data stores. A join in a data flow means that exactly the same data comes from two different processes or data stores Data does not circle back to the originating process

39. Basic Rules Processes A process without input is a miracle, making data from nothing A process without output is a black hole Data Stores Data stores are passive, hence they cannot move data You do not ask data stores for information, you go get it External entities should never access data stores directly Summary: A data store should be connected to a process

40. Common Problems Including unnecessary processes and external entities Missing necessary processes Combining activities into a single process Not labeling all data flows Processes that do not process Multi-directional data flows

41. Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

42. evaluations evaluations

43. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.