Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft Corporation.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft Corporation."— Presentation transcript:

1 SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft Corporation

2 Agenda What We Did Differently Security Enhancements in Windows Server 2003 IIS 6.0 Re-architecture Changes with Permissions System Services Enhancements to IPSec All new: Network Access Quarantine Software Restriction Policies Windows Server 2003 Security Guidance What’s coming…

3 Secure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum courses available at launch 7 Microsoft Official Curriculum courses available at launch Official security configuration guides Official security configuration guides Integrated security tools Integrated security tools Secure by Design Mandatory training Mandatory training Built threat models Built threat models Conducted code reviews and penetration testing Conducted code reviews and penetration testing Used automated code tools Used automated code tools Redesigned IIS 6.0 architecture Redesigned IIS 6.0 architecture Secure by Default 60% less attack surface area by default compared to Windows NT 4.0 SP3 60% less attack surface area by default compared to Windows NT 4.0 SP3 20+ services changed to be off by default 20+ services changed to be off by default Service install in a secure state (IIS 6.0 Lockdown) Service install in a secure state (IIS 6.0 Lockdown) The Security Framework: SD 3 +C Communications Writing Secure Code 2.0 Writing Secure Code 2.0 Architecture webcasts Architecture webcasts

4 Security in Active Directory Cross-Forest Trusts Enables Administrators to create external forest-to-forest trusts Cross-Forest Authentication Enables secure access to resources when the user account is in one forest and the computer account is in another forest. Cross-Forest Authorization Enables administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. IAS and Cross-Forest Authentication If Active Directory forests are in cross-forest mode with two-way trusts, then IAS/RADIUS can authenticate the user account in the other forest

5 PKI Enhancements Cross–Certification Support Role separation Custom Certificate Templates (Version 2) Delta CRLs Key Archival/Recovery Auto-enrollment Auditing of admin operations See: Windows Server 2003 PKI Operations Guide http://www.microsoft.com/technet/prodtechnol/windows server2003/maintain/operate/ws03pkog.asp http://www.microsoft.com/technet/prodtechnol/windows server2003/maintain/operate/ws03pkog.asp

6 Miscellaneous Enhancements DLL search order priority changed from working directory to \windows\system32 AES-256-bit encryption default in EFS Everyone group no longer includes anonymous users (Users and Guests) Accounts with blank passwords are console-bound Protected EAP (PEAP) Detailed security auditing RRAS Basic Firewall

7 Miscellaneous Enhancements IIS 6.0 Lockdown mode IIS Re-architecture Authorization Manager (AuthMan) Credential Manager (CredMan) Constrained Delegation.Net Framework 1.1 Code Access Security Administrator password complexity Screen saver timeout

8 Miscellaneous Enhancements Account Logon auditing enabled by default Anonymous access restricted to: SAM Named Pipes Shares Remote registry decoupled from Server service NTLM Compatibility blocks LM from the wire IE Lockdown Terminal Server rights control DPAPI Integration Greatly improved Help file for security

9 IIS 5 Request Processing Kernel mode User mode Metabase INETINFO.exe RequestResponse DLLHOST.exeDLLHOST.exe DLLHOST.exeDLLHOST.exe TCP/IP X X FTPFTP NNTPNNTP SMTPSMTP AFD WinSock

10 IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTPHTTP CacheCacheQueueQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X TCP/IP

11 Detailed Security Auditing example example

12 The Security Framework at Microsoft (Yes – the same old video you have seen before) STOP There is no time for this! This is a level 300 session The Security Framework at Microsoft video video

13 Permissions Default NFTS permissions locked down Was: Everyone Full Control Now: Everyone, Read and Execute (Root only) Users Read and Execute, Create Folder, Create File SYSTEM, Creator, Administrators Full Control Default share permissions Was: Everyone Full Control Now: Everyone Read New Features: Effective Permissions Tool Replace Owner through GUI

14 Permissions Seeing is believing! quick demo quick demo

15 What do all of these services have in common? Alerter Clipbook Clipbook Distributed Link Tracking (Server) Distributed Link Tracking (Server) Imapi CDROM Burning Service Imapi CDROM Burning Service Human Interface Devices Human Interface Devices ICS/ICF ICS/ICF Intersite Messaging Intersite Messaging KDC KDC License Logging Manager License Logging Manager Terminal Server Discovery Service Terminal Server Discovery Service Windows Image Acquisition Windows Image Acquisition Messenger Messenger NetMeeting NetMeeting NetDDE NetDDE NetDDE DSDM NetDDE DSDM RRAS RRAS Telnet Telnet Themes Themes WebClient WebClient Windows Audio Windows Audio Startup = Disabled

16 System Service Accounts Local Service and Network Service No password to manage No password to manage Runs with only slightly more permissions than Authenticated User Runs with only slightly more permissions than Authenticated User Local Service cannot authenticate across the network, Network Service authenticates as the computer account Local Service cannot authenticate across the network, Network Service authenticates as the computer account Local System No password to manage No password to manage Bypasses security checks Bypasses security checks User Accounts Run with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secret Stores password as an LSA secret Can be complex to configure Can be complex to configure

17 Enumerating Services with WMIC quick demo quick demo

18 What’s New with IPSec? Management IP Security Monitor IP Security Monitor Command-line management with Netsh Command-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration Security Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup security Computer startup security Persistent policy for enhanced security Persistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handling Better default exemption handling Interoperability IPSec functionality over network address translation (NAT) IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load Balancing Improved IPSec integration with Network Load Balancing

19 Default Exempt Rules in IPSec Stored in the registry value: HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt NoDefaultExempt values 0123 RSVP RSVP IKE IKE Kerberos Kerberos Multicast Multicast Broadcast Broadcast IKE IKE Multicast Multicast Broadcast Broadcast RSVP RSVP IKE IKE Kerberos Kerberos IKE IKE RSVP RSVP IKE IKE Kerberos Kerberos Multicast Multicast Broadcast Broadcast IKE IKE Multicast Multicast Broadcast BroadcastXX

20 Managing IPSec with Netsh Options not available through the UI: Configure default exemptions Enable CRL checking Enable IKE logging Enable IPsec driver dynamic logging Enable persistent policy Configure startup exemptions demo demo

21 Network Access Quarantine for RRAS announcing… announcing…

22 What is Network Access Quarantine? RAS client meets Quarantine policies RAS client gets full access to network RAS client disconnected 1.RAS client fails policy check 2.Quarantine timeout Reached RAS client placed in Quarantine Remote access client authenticates

23 What are policy rules? Quarantine policy rules are configurable, common rules may include: Service packs or the latest hotfixes installed Service packs or the latest hotfixes installed Antivirus software installed Antivirus software installed Antivirus signature files updated Antivirus signature files updated Routing disabled on RAS client Routing disabled on RAS client Internet Connection Firewall enabled Internet Connection Firewall enabled A password-protected screensaver enabled A password-protected screensaver enabled

24 Quarantine Architecture CM Profile Runs customizable post connect scriptRuns customizable post connect script Script runs RQC notifier with “results string”Script runs RQC notifier with “results string” Listener RQS receives Notifier “results string”RQS receives Notifier “results string” Compares results to possible resultsCompares results to possible results Removes time-out if response received but client out of dateRemoves time-out if response received but client out of date Removes quarantine filter if client up to dateRemoves quarantine filter if client up to date Quarantine VSAs Timer limits time window to receive notify before auto disconnectTimer limits time window to receive notify before auto disconnect Q-filter sets temporary route filter to quarantine accessQ-filter sets temporary route filter to quarantine access Internet RAS Client RRAS Server IAS Server Quarantine RQC.exe and RQS.exe are in the Windows Server 2003 Resource Kit

25 Detailed Quarantine ProcessConnect Authenticate Authorize Quarantine VSA + Normal Filters Policy Check Result Remove Quarantine QuarantineAccess Full Access Internet RAS Client RRAS Server IAS Server Quarantine

26 Software Restriction Policies Two modes: Disallowed, Unrestricted Control executable code:.ADE.ADP.BAS.BAT.CHM.CMD.CPL.CRT.EXE.HLP.HTA.INF.INS.ISP.JS.JSE.LNK.MDB.MDE.MSC.MSI.MSP.MST.PCD.PIF.REG.SCR.SCT.SHS.URL.VB.VBE.VBS.WSC.WSF.WSH

27 What SRP do not protect against Drivers or other kernel mode software Cannot protect against SYSTEM Any program run by the SYSTEM account. Cannot protect against SYSTEM Macros inside of Microsoft Office 2000 or Office XP documents Use Macro security settings Programs written for the common language runtime. These programs use the Code Access Security

28 Types of SRP Rules Path Rule Compares path of file being run to an allowed path list Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Use when you have a folder with many files for the same application Essential in when SRPs are strict Essential in when SRPs are strict Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempted to be run Compares the MD5 or SHA1 hash of a file to the one attempted to be run Use when you want to allow/prohibit a certain version of a file from being run Use when you want to allow/prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (i.e. Authenticode) Checks for digital signature on application (i.e. Authenticode) Use when you want to restrict both win32 applications and ActiveX content Use when you want to restrict both win32 applications and ActiveX content Internet Zone Rule Controls how Internet Zones can be accessed Controls how Internet Zones can be accessed Use when in high security environments to control access to web applications Use when in high security environments to control access to web applications

29 Rule Precedence What happens when multiple rules match a program? Trying to run Windows Calculator c:\winntUnrestricted A6A44A0E8A76C7B2174DE68C5B0F724D:114688:32771Disallowed c:\winnt\system32\calc.exeDisallowed Most specific matching rule wins: 1. Hash rule 2. Certificate rule 3. Path rule 4. Zone rule

30 How to Develop Policies? List allowed applications Start them up Consult system info (msinfo32.exe) Software Environment → Running Tasks Software Environment → Loaded Modules Software Environment → Startup Programs Create Rules Refine Rules Generalize rules C:\winnt → %WINDIR% C:\app\dir1, c:\app\dir2 → c:\app

31 Policy Gotchas Make sure you include the following: Some programs consist of many EXE’s Powerpnt.exe (clip art launches mstore.exe) Login Scripts Startup folders and registry keys Anti-virus Program Add-ins Have you allowed too much? Check ACL’s

32 Software Restriction Policies demo demo

33 Windows Server 2003 Security Configuration Guide Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14846 Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160

34 “We commend Microsoft for providing enhanced security guidance to its customers as well as for soliciting user input as part of the process of producing that guidance“ Clint Kreitner President/CEO “NIST reviewed and provided technical comments & advice, that was incorporated in this guidance” Timothy Grance Manager Systems and Network Security Group comments comments

35 Keep an eye out for… Security Configuration Wizard (SCW) The SCW will help administrators maximize the security of servers with common roles without sacrificing required functionality. Administrators can use the Security Configuration Wizard in SCE to construct security policies for their different types of servers, and perform Lockdown Testing to verify that systems function as expected. Microsoft Audit Collection Services (MACS) MACS is a tool to monitor and audit systems in a centralized manner. MACS collects security events in a compressed, signed, encrypted manner and loads the events into a SQL database for analysis.

36 Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Today Microsoft ® Windows ® Security Resource Kit Writing Secure Code 2 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

37 Quarantine Whitepaper: Network Access Quarantine Whitepaper: http://www.microsoft.com/windowsserver2003/techinfo/overview/qu arantine.mspx http://www.microsoft.com/windowsserver2003/techinfo/overview/qu arantine.mspx Software Restriction Policy http://www.microsoft.com/windows2000/technologies/security/redir- wnetsafer.asp http://www.microsoft.com/windows2000/technologies/security/redir- wnetsafer.asp Windows Server 2003 Resource Kit Tools Download: http://go.microsoft.com/fwlink/?LinkId=4544 appendix... appendix...

38 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

39 evaluations evaluations

40 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "SEC302 Windows Server 2003 Security Enhancements Ben Smith Senior Security Strategist Microsoft Corporation."

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
SEC313 Securing Enterprise Platforms And Perimeters AKA – Building a Perimeter Platform and Infrastructure (with security) Ben Smith Senior Security Strategist.

SEC313 Securing Enterprise Platforms And Perimeters AKA – Building a Perimeter Platform and Infrastructure (with security) Ben Smith Senior Security Strategist.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 7: Implementing Security Using Group Policies.

Module 7: Implementing Security Using Group Policies.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google