Download presentation
Presentation is loading. Please wait.
1
SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft Corporation
2
Agenda What We Did Differently Security Enhancements in Windows Server 2003 IIS 6.0 Re-architecture Changes with Permissions System Services Enhancements to IPSec All new: Network Access Quarantine Software Restriction Policies Windows Server 2003 Security Guidance What’s coming…
3
Secure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum courses available at launch 7 Microsoft Official Curriculum courses available at launch Official security configuration guides Official security configuration guides Integrated security tools Integrated security tools Secure by Design Mandatory training Mandatory training Built threat models Built threat models Conducted code reviews and penetration testing Conducted code reviews and penetration testing Used automated code tools Used automated code tools Redesigned IIS 6.0 architecture Redesigned IIS 6.0 architecture Secure by Default 60% less attack surface area by default compared to Windows NT 4.0 SP3 60% less attack surface area by default compared to Windows NT 4.0 SP3 20+ services changed to be off by default 20+ services changed to be off by default Service install in a secure state (IIS 6.0 Lockdown) Service install in a secure state (IIS 6.0 Lockdown) The Security Framework: SD 3 +C Communications Writing Secure Code 2.0 Writing Secure Code 2.0 Architecture webcasts Architecture webcasts
4
Security in Active Directory Cross-Forest Trusts Enables Administrators to create external forest-to-forest trusts Cross-Forest Authentication Enables secure access to resources when the user account is in one forest and the computer account is in another forest. Cross-Forest Authorization Enables administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. IAS and Cross-Forest Authentication If Active Directory forests are in cross-forest mode with two-way trusts, then IAS/RADIUS can authenticate the user account in the other forest
5
PKI Enhancements Cross–Certification Support Role separation Custom Certificate Templates (Version 2) Delta CRLs Key Archival/Recovery Auto-enrollment Auditing of admin operations See: Windows Server 2003 PKI Operations Guide http://www.microsoft.com/technet/prodtechnol/windows server2003/maintain/operate/ws03pkog.asp http://www.microsoft.com/technet/prodtechnol/windows server2003/maintain/operate/ws03pkog.asp
6
Miscellaneous Enhancements DLL search order priority changed from working directory to \windows\system32 AES-256-bit encryption default in EFS Everyone group no longer includes anonymous users (Users and Guests) Accounts with blank passwords are console-bound Protected EAP (PEAP) Detailed security auditing RRAS Basic Firewall
7
Miscellaneous Enhancements IIS 6.0 Lockdown mode IIS Re-architecture Authorization Manager (AuthMan) Credential Manager (CredMan) Constrained Delegation.Net Framework 1.1 Code Access Security Administrator password complexity Screen saver timeout
8
Miscellaneous Enhancements Account Logon auditing enabled by default Anonymous access restricted to: SAM Named Pipes Shares Remote registry decoupled from Server service NTLM Compatibility blocks LM from the wire IE Lockdown Terminal Server rights control DPAPI Integration Greatly improved Help file for security
9
IIS 5 Request Processing Kernel mode User mode Metabase INETINFO.exe RequestResponse DLLHOST.exeDLLHOST.exe DLLHOST.exeDLLHOST.exe TCP/IP X X FTPFTP NNTPNNTP SMTPSMTP AFD WinSock
10
IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTPHTTP CacheCacheQueueQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X TCP/IP
11
Detailed Security Auditing example example
12
The Security Framework at Microsoft (Yes – the same old video you have seen before) STOP There is no time for this! This is a level 300 session The Security Framework at Microsoft video video
13
Permissions Default NFTS permissions locked down Was: Everyone Full Control Now: Everyone, Read and Execute (Root only) Users Read and Execute, Create Folder, Create File SYSTEM, Creator, Administrators Full Control Default share permissions Was: Everyone Full Control Now: Everyone Read New Features: Effective Permissions Tool Replace Owner through GUI
14
Permissions Seeing is believing! quick demo quick demo
15
What do all of these services have in common? Alerter Clipbook Clipbook Distributed Link Tracking (Server) Distributed Link Tracking (Server) Imapi CDROM Burning Service Imapi CDROM Burning Service Human Interface Devices Human Interface Devices ICS/ICF ICS/ICF Intersite Messaging Intersite Messaging KDC KDC License Logging Manager License Logging Manager Terminal Server Discovery Service Terminal Server Discovery Service Windows Image Acquisition Windows Image Acquisition Messenger Messenger NetMeeting NetMeeting NetDDE NetDDE NetDDE DSDM NetDDE DSDM RRAS RRAS Telnet Telnet Themes Themes WebClient WebClient Windows Audio Windows Audio Startup = Disabled
16
System Service Accounts Local Service and Network Service No password to manage No password to manage Runs with only slightly more permissions than Authenticated User Runs with only slightly more permissions than Authenticated User Local Service cannot authenticate across the network, Network Service authenticates as the computer account Local Service cannot authenticate across the network, Network Service authenticates as the computer account Local System No password to manage No password to manage Bypasses security checks Bypasses security checks User Accounts Run with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secret Stores password as an LSA secret Can be complex to configure Can be complex to configure
17
Enumerating Services with WMIC quick demo quick demo
18
What’s New with IPSec? Management IP Security Monitor IP Security Monitor Command-line management with Netsh Command-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration Security Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup security Computer startup security Persistent policy for enhanced security Persistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handling Better default exemption handling Interoperability IPSec functionality over network address translation (NAT) IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load Balancing Improved IPSec integration with Network Load Balancing
19
Default Exempt Rules in IPSec Stored in the registry value: HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt NoDefaultExempt values 0123 RSVP RSVP IKE IKE Kerberos Kerberos Multicast Multicast Broadcast Broadcast IKE IKE Multicast Multicast Broadcast Broadcast RSVP RSVP IKE IKE Kerberos Kerberos IKE IKE RSVP RSVP IKE IKE Kerberos Kerberos Multicast Multicast Broadcast Broadcast IKE IKE Multicast Multicast Broadcast BroadcastXX
20
Managing IPSec with Netsh Options not available through the UI: Configure default exemptions Enable CRL checking Enable IKE logging Enable IPsec driver dynamic logging Enable persistent policy Configure startup exemptions demo demo
21
Network Access Quarantine for RRAS announcing… announcing…
22
What is Network Access Quarantine? RAS client meets Quarantine policies RAS client gets full access to network RAS client disconnected 1.RAS client fails policy check 2.Quarantine timeout Reached RAS client placed in Quarantine Remote access client authenticates
23
What are policy rules? Quarantine policy rules are configurable, common rules may include: Service packs or the latest hotfixes installed Service packs or the latest hotfixes installed Antivirus software installed Antivirus software installed Antivirus signature files updated Antivirus signature files updated Routing disabled on RAS client Routing disabled on RAS client Internet Connection Firewall enabled Internet Connection Firewall enabled A password-protected screensaver enabled A password-protected screensaver enabled
24
Quarantine Architecture CM Profile Runs customizable post connect scriptRuns customizable post connect script Script runs RQC notifier with “results string”Script runs RQC notifier with “results string” Listener RQS receives Notifier “results string”RQS receives Notifier “results string” Compares results to possible resultsCompares results to possible results Removes time-out if response received but client out of dateRemoves time-out if response received but client out of date Removes quarantine filter if client up to dateRemoves quarantine filter if client up to date Quarantine VSAs Timer limits time window to receive notify before auto disconnectTimer limits time window to receive notify before auto disconnect Q-filter sets temporary route filter to quarantine accessQ-filter sets temporary route filter to quarantine access Internet RAS Client RRAS Server IAS Server Quarantine RQC.exe and RQS.exe are in the Windows Server 2003 Resource Kit
25
Detailed Quarantine ProcessConnect Authenticate Authorize Quarantine VSA + Normal Filters Policy Check Result Remove Quarantine QuarantineAccess Full Access Internet RAS Client RRAS Server IAS Server Quarantine
26
Software Restriction Policies Two modes: Disallowed, Unrestricted Control executable code:.ADE.ADP.BAS.BAT.CHM.CMD.CPL.CRT.EXE.HLP.HTA.INF.INS.ISP.JS.JSE.LNK.MDB.MDE.MSC.MSI.MSP.MST.PCD.PIF.REG.SCR.SCT.SHS.URL.VB.VBE.VBS.WSC.WSF.WSH
27
What SRP do not protect against Drivers or other kernel mode software Cannot protect against SYSTEM Any program run by the SYSTEM account. Cannot protect against SYSTEM Macros inside of Microsoft Office 2000 or Office XP documents Use Macro security settings Programs written for the common language runtime. These programs use the Code Access Security
28
Types of SRP Rules Path Rule Compares path of file being run to an allowed path list Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Use when you have a folder with many files for the same application Essential in when SRPs are strict Essential in when SRPs are strict Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempted to be run Compares the MD5 or SHA1 hash of a file to the one attempted to be run Use when you want to allow/prohibit a certain version of a file from being run Use when you want to allow/prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (i.e. Authenticode) Checks for digital signature on application (i.e. Authenticode) Use when you want to restrict both win32 applications and ActiveX content Use when you want to restrict both win32 applications and ActiveX content Internet Zone Rule Controls how Internet Zones can be accessed Controls how Internet Zones can be accessed Use when in high security environments to control access to web applications Use when in high security environments to control access to web applications
29
Rule Precedence What happens when multiple rules match a program? Trying to run Windows Calculator c:\winntUnrestricted A6A44A0E8A76C7B2174DE68C5B0F724D:114688:32771Disallowed c:\winnt\system32\calc.exeDisallowed Most specific matching rule wins: 1. Hash rule 2. Certificate rule 3. Path rule 4. Zone rule
30
How to Develop Policies? List allowed applications Start them up Consult system info (msinfo32.exe) Software Environment → Running Tasks Software Environment → Loaded Modules Software Environment → Startup Programs Create Rules Refine Rules Generalize rules C:\winnt → %WINDIR% C:\app\dir1, c:\app\dir2 → c:\app
31
Policy Gotchas Make sure you include the following: Some programs consist of many EXE’s Powerpnt.exe (clip art launches mstore.exe) Login Scripts Startup folders and registry keys Anti-virus Program Add-ins Have you allowed too much? Check ACL’s
32
Software Restriction Policies demo demo
33
Windows Server 2003 Security Configuration Guide Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14846 Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160
34
“We commend Microsoft for providing enhanced security guidance to its customers as well as for soliciting user input as part of the process of producing that guidance“ Clint Kreitner President/CEO “NIST reviewed and provided technical comments & advice, that was incorporated in this guidance” Timothy Grance Manager Systems and Network Security Group comments comments
35
Keep an eye out for… Security Configuration Wizard (SCW) The SCW will help administrators maximize the security of servers with common roles without sacrificing required functionality. Administrators can use the Security Configuration Wizard in SCE to construct security policies for their different types of servers, and perform Lockdown Testing to verify that systems function as expected. Microsoft Audit Collection Services (MACS) MACS is a tool to monitor and audit systems in a centralized manner. MACS collects security events in a compressed, signed, encrypted manner and loads the events into a SQL database for analysis.
36
Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Today Microsoft ® Windows ® Security Resource Kit Writing Secure Code 2 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt
37
Quarantine Whitepaper: Network Access Quarantine Whitepaper: http://www.microsoft.com/windowsserver2003/techinfo/overview/qu arantine.mspx http://www.microsoft.com/windowsserver2003/techinfo/overview/qu arantine.mspx Software Restriction Policy http://www.microsoft.com/windows2000/technologies/security/redir- wnetsafer.asp http://www.microsoft.com/windows2000/technologies/security/redir- wnetsafer.asp Windows Server 2003 Resource Kit Tools Download: http://go.microsoft.com/fwlink/?LinkId=4544 appendix... appendix...
38
Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
39
evaluations evaluations
40
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.