The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera

David J. Goldman Joseph Nocera Overview Background Windows Security Vulnerabilities Dealing with Security The Role of the Audit Maintaining a Secure Environment

David J. Goldman Joseph Nocera Background Why this conference exists Windows Security Overview Internal Security Management

David J. Goldman Joseph Nocera Windows Security Vulnerabilities Loss of Confidentiality, Integrity, Accessibility Denial of Service Enticement Information Undesired Access Inability to recover from breach Inability to prosecute

David J. Goldman Joseph Nocera Windows Security Vulnerabilities Areas of Concern Unneeded Services Incorrect System Configuration Improper Access Control Lists Buffer Overflows Other Code Vulnerabilities Known vs. Unknown

David J. Goldman Joseph Nocera Unneeded Services Services Simple TCP/IP Services FTP, WWW, SMTP, NNTP Telnet Terminal Services, Other Remote Access (pcAnywhere, ControlIT, etc) “R” Services (rsh, rcmd, rexec, etc.) Devices Sniffers NFS Key Loggers

David J. Goldman Joseph Nocera Incorrect System Configuration Service Packs/Hotfixes Group Membership Registry Values Shares User Rights User Settings

David J. Goldman Joseph Nocera Improper Access Control Lists Shares Registry Keys Directories Other Securable Objects System Resources  Printers, Services, Tasks, etc. Active Directory Objects  OUs, GPOs, etc.

David J. Goldman Joseph Nocera Buffer Overflows Core Operating System Components Internet Information Server (IIS) SQL Server Third-Party Applications

David J. Goldman Joseph Nocera Other Code Vulnerabilities Core Operating System Components Third-Party Applications Custom Developed Applications Web Pages and Internet Applications

David J. Goldman Joseph Nocera Dealing With Security Overall Security Architecture Risk Assessment Data Classification Audit the Environment Security Design/Implementation Plan Monitor and Control

David J. Goldman Joseph Nocera The Role of the Audit Determine Vulnerable Areas Obtain Specific Security Information Allow for Remediation Check for Compliance Ensure Ongoing Security

David J. Goldman Joseph Nocera Security Audit Components The “Fab Five” User Resource System Network Auditing, Logging, and Monitoring

David J. Goldman Joseph Nocera User Security Components User Account Properties Account Policy User Rights Groups Configuration Issues Passwords – Complexity/Aging/Uniqueness Disabled/Locked Accts Wkstn Restrictions 4 Logon Types Sensitive User Rights Privileged Group Membership

David J. Goldman Joseph Nocera Resource Security Components File Systems File, Folder, and Object Security Shares Configuration Issues NTFS vs. FAT, EFS DACLs/SACLs – reg, files/folders, printers, services Shares – who needs read/change/full

David J. Goldman Joseph Nocera Resource Security Cont. Critical Resources %systemroot% (repair, config, LogFiles) %systemroot%\*.exe \Program Files Inetpub, Inetsrv, IIS data directories

David J. Goldman Joseph Nocera System Security Components Registry Services Configuration Issues Access Paths - Winreg/AllowedPaths Reg Permissions - Run, RunOnce, AeDebug Reg Values – Restrictanonymous Crashdump/Clearpagefile, lmcompatibility Installed Services Service Context – System vs. User

David J. Goldman Joseph Nocera Network Security Components Domains and Trusts Protocols Internet Information Server (IIS) Configuration Issues Relationships – appropriate access What is needed – TCP/IP, NetBIOS, NWLink IIS – WWW, FTP, SMTP, NNTP

David J. Goldman Joseph Nocera Auditing, Logging, and Monitoring Components Audit Policies Event Logs Network Alerts Performance Monitor Configuration Issues System Events Files and Directories Registry Log Settings

David J. Goldman Joseph Nocera Maintaining a Secure Environment Methodology Tools Implementation Scripts

David J. Goldman Joseph Nocera Security Methodologies Assess Design Implement Operate/Maintain

David J. Goldman Joseph Nocera Tools Assessment Security Configuration Manager DumpSec and DumpReg Custom scripts (Visual Basic Scripting) Implemenetation Security Configuration Manager Resource Kit Utilities Custom Scripts  VB Script, Command Shell, other scripting languages

David J. Goldman Joseph Nocera Scripts and Examples DEMO

David J. Goldman Joseph Nocera Conclusion Holistic Approach to Security Detailed plan Ongoing Process David Goldman: Joseph Nocera: