1. Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom firmom Network Security Solutions rešila da pokloni svim zainteresovanim firmama učesnicama Sinergije09, bez obzira na broj prijavljenih posetilaca konferencije, po jednu besplatnu osnovnu procenu bezbednosti web sajta. Prijave do 30. Novembra http://www.netsec.rshttp://www.netsec.rs

2. Protecting Windows and Web applications Dejan Levaja, MVP [Enterprise Security] Network Security Solutions http://www.netsec.rs

3. Agenda Server 2008 Security mehnizmi - podsetnik IIS 7 security Patching Auditing Scanning and Assessment Hardening Security Testing

4. Security and protection Security improvements to the kernel – Kernel patch protection for 64-bit editions – Security improvements to the heap manager – Security improvements to the registry – Code integrity – Data Execution Prevention – Address Space Layout Randomization – Windows Resource Protection Security improvements to Windows services – Windows service hardening – Session 0 isolation – Named pipe hardening Windows Integrity Mechanism Windows Internet Explorer 7/8 – Protected mode – Extended Validation SSL certificates Extensible logon architecture Cryptography Next Generation Authentication protocol improvements – Windows implementation of the Kerberos protocol – TLS/SSL cryptographic enhancements

5. Threats and vulnerabilities mitigation Server role security configuration Server Core installation option User Account Control Web Server (IIS) role Backup and recovery Windows Firewall with Advanced Security Network Policy and Access Services role – Network Policy Server – Network Access Protection – Routing and Remote Access

6. Secure configuration assessment and management Security auditing Server security policy management Security Configuration Wizard Authorization Manager Group Policy Active Directory Domain Services – Fine-grained password policies – Auditing

7. Identity and access control Smart cards 802.1X authenticated wired and wireless access Backup and restore of stored user names and passwords Credential Security Service Provider and single sign-on for Terminal Services logon Previous logon information Access control user interface TrustedInstaller SID Restricted SIDs checks File system namespace modifications Default permissions changes Changes to tokens Integrity levels Icacls command-line tool OwnerRights SID BitLocker Drive Encryption Encrypting File System Active Directory Certificate Services – Cryptography Next Generation – Online Certificate Status Protocol – Network Device Enrollment Service – Web enrollment – Policy settings – Restricted enrollment agent – Enterprise PKI snap-in Active Directory Domain Services Active Directory Rights Management Service

8. IIS 7 Security Ranjivosti – IIS 7 (2006. – Sinergija09)=> 2 – Apache 2.2 (2006. – Sinergija09)=> 17 – IIS 6 (2003. – Sinergija09)=> 8 – Apache 2.0 (2003. – Sinergija09)=> 41 Authentication IP and Domain Restriction URL Authorization Request Filtering Certificates

9. IIS 7 Security - Authentication Izmene – IUSR_machine_name => IUSR – IUSR_machine_name postoji samo ako postoji i FTP – IUSR radi u bezbednosnom kontekstu worker procesa (network service) – IUSR nema lozinku – IUSR_WPG => IIS_IUSR – Najvažnije: IUSR i IIS_IUSR su Built-In nalozi –> svuda isti SID -> moguć XCOPY /O Authentication – Anonymous – Basic – Windows – Forms – Certificates* – Digest – ASP.NET Impersonation

10. IIS 7 Security - IP and Domain Restriction Ograničenje pristupa po IP adresi Ograničenje pristupa po imenu domena (zahteva reversni DNS lookup!) – Demo Dynamic IP Restrictions Extension (beta) – http://www.iis.net/extensions/DynamicIPRestrictions http://www.iis.net/extensions/DynamicIPRestrictions

11. IIS 7 Security - URL Authorization NTFS vs URL autorizacija – xcopy /o Demo – Scenario Isključimo Anon Auth, uključimo Basic kreiramo grupu kreiramo korisnike i dodamo ih u grupu obrišemo defaultni URL Authorization Rule i kreiramo novi – Sve ovo može i iz CMD-a (appcmd.exe)!

12. Request Filtering – simple WAF URLScan => Request Filtering – Filter Double-Encoded Requests ‘\’ => %5c – ‘% ‘=> %25 » %255c scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ (IIS 5.0) – Filter High Bit Characters – Filter Based on File Extensions – Filter Based on Request Limits – Filter by Verbs – Filter Based on URL Sequences /../, – Filter Out Hidden Segments

13. Certificates SSL – one to many mapping – one to one mapping – AD mapping – CLR, delta CRL – Next, next, finish Demo

14. Patching Windows Update – <= Vista – OS + IE Microsoft Update – Windows Update + MS Office + Exchange + SQL +... – http://www.update.microsoft.com/ http://www.update.microsoft.com/ Automatic Update Patch Tuesday ( and Exploit Wednesday ) Microsoft Catalog – http://catalog.update.microsoft.com http://catalog.update.microsoft.com

15. Patching WSUS 3.0 – Sastavni deo Servera 2008 (KB 940518) – SUS == OS; WSUS == OS + ostalo – WSUS = IIS 7+ SQL (WID) + Microsoft Update – GPO ili Registry GPO => Computer Configuration\Administrative Templates\Windows Components\Windows Upddate\Specify Intranet Microsoft Update Service Location Registry => KLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ – reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate » /v WUServer /t REG_SZ /d http://wsus.netsec.localhttp://wsus.netsec.local » /v WUStatusServer /t REG_SZ /d http://wsus.netsec.localhttp://wsus.netsec.local

16. Auditing Auditing in Server 2008 – 4GB vs >petabyte – n*1000 evt/sec vs n*10000 evt/sec – granular audit policy (GAP) – GPO (R2), AuditPol.exe EventViewer – XML eventquery.vbs wevtutil.exe Demo: Failed logons – wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt

17. Scanning MBSA – Security Updates, Administrative Vulnerabilities, IIS, SQL, Desktop apps – WSUS i MBSA – GUI, cmd (mbsacli.exe) – Online, Offline – wsusscn2.cab - http://go.microsoft.com/fwlink/?LinkId=76054http://go.microsoft.com/fwlink/?LinkId=76054 – Visio Connector (2003,2007) – %userprofile%\SecurityScans – Demo: mbsacli.exe /target 192.168.0.10 /u administrator /p P@ssw0rd mbsacli.exe /n SQL+IIS /catalog c:\wsusscan2.cab /nd

18. Assessment MSAT – MSAT is designed to help you identify and address security risks in your IT environment. – http://technet.microsoft.com/en-us/security/cc185712.aspx http://technet.microsoft.com/en-us/security/cc185712.aspx Preko 200 pitanja baziranih na ISO 27001 Infrastructure, Applications, Operations, People Demo

19. Hardening Windows Firewall with Advanced Security IPSec => Server and Domain Isolation – R2 or not R2 ? – Demo Security Configuration Wizard – Demo

20. Security Testing Vulnerability Assessment – popisuje ranjivosti – MBSA,... Penetration Testing – dokazuje da je moguće iskoristiti prona đ ene ranjivosti – browser + proxy, metasploit,... Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Prijave do 30. Novembra http://www.netsec.rshttp://www.netsec.rs

21. Molimo vas da popunite ankete! Please fill out the evaluations! Vaše mišljenje čini osnovu sledeće Sinergije i omogućava nam da oblikujemo sadržaj u skladu sa Vašim željama. Svi posetioci koji popune ankete ulaze u nagradnu igru Your opinion forms the next Sinergija conference, and it provides us with the means to shape its content to best suit you. All attendees that fill out the evaluations are taking part in drawing of special prizes

22. Hvala! dejan.levaja@netsec.rs Microsoft Community Serbia http://www.msforge.net http://www.msforge.net