1. Leveraging your Active Directory (AD) for Perimeter Defense – Inside and Out (SEC205) Richard Warren Internet and Security Training Specialist SEC205

2. Agenda Security Issues Today The “Inside” – Good or Bad? Why Active Directory? Internal Access with Integrity The Who and How of External Access When a Web Proxy is not Enough

3. At Risk 14B devices on the Internet by 2010 35M remote users by 2005 65% increase in dynamic Web sites From 2000 to 2003 reported incidents rose from 21,756 to 137,529 Nearly 80 percent of 445 respondents surveyed said the Internet has been a frequent point of attack, up from 57 percent just four years ago 90% detected security breaches 85% detected computer viruses 95% of all breaches avoidable with an alternative configuration Approximately 70 percent of all Web attacks occur at the application layer The Soft Underbelly Security Issues Today 1 Source: Forrester Research 2 Source: Information Week, 26 November 2001 3 Source: Netcraft summary 4 Source: CERT, 2005 5 Source: CSI/FBI Computer Crime and Security Survey 6 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 7 Source: CERT, 2002 8 Source: Gartner Group 1 1 2 2 3 3 4 4 5 5 6 6 6 6 7 7 8 8

4. Application Layer Attacks Identity Theft Web Site Defacement Unauthorized Access Modification of Data, Logs and Records Theft of Proprietary Information Service Disruption Implications Compliance Basel 2 (EU) Data Protection Act (EU) Gramm Leach Bliley HIPAA (US) The Privacy Act (CA) Sarbanes Oxley (U.S.) U.S. Patriot Litigation File Sharing Piracy HR Issues Shareholder Suits Customer Impact from Security Issues

5. The “Inside” – Good or Bad?

6. Attacks from Insiders! Who can you trust? Large % of threats occur from the inside Users surfing inappropriate/malicious web sites Users not logging into the AD Domain (Security Policy) Users searching for web servers with confidential information Disgruntled Employees – Contractors – Office Visitors

7. Internet Access for your Users Enable users to communicate across the Internet Use of instant messaging over the Internet may reveal confidential informationUse of instant messaging over the Internet may reveal confidential information Users’ access to personal e-mail may bypass corproate e- mail protectionUsers’ access to personal e-mail may bypass corproate e- mail protection Enable users to access legitimate information on the Internet Users may inadvertently access insecure contentsUsers may inadvertently access insecure contents Difficult configuration may lead to mistakes that threaten securityDifficult configuration may lead to mistakes that threaten security Users may access inappropriate Web sites and contentUsers may access inappropriate Web sites and content Peer-to-peer applications and illegal downloads may expose company to lawsuitsPeer-to-peer applications and illegal downloads may expose company to lawsuits Business Need:Risk to Organization:

8. Internet Access for your Users Control and monitor users’ Internet access Limited application layer filtering prevents meaningful access controlLimited application layer filtering prevents meaningful access control Logs that are difficult to view may prevent administrators from discovering problemsLogs that are difficult to view may prevent administrators from discovering problems Lacking reporting capabilities prevent management from evaluating use of Internet by employeesLacking reporting capabilities prevent management from evaluating use of Internet by employees Business Need:Risk to Organization:

9. Why Active Directory

10. Why Active Directory? Plays a key role in Distributed Security Required for domain logon (authentication) Grants access to resources (authorization) Plays a key role in Identity Management Stores and protects identities

11. Why Active Directory Plays a key role in Windows manageability Facilitates management of network resources Facilitates delegation of administrative authority Enables centralized policy control Plays a key role in enabling other technologies RRAS, Microsoft Certificate Services, Microsoft Exchange, etc. Tremendously powerful resource – Use and Enforce It!!!

12. Web Access with Integrity Internal and External

13. Web Access with Integrity Application Layer Firewalls Inspect Intranet and Incoming External Traffic Monitor & Log Intranet Access by Username!

14. Web Access with Integrity Application Layer Firewalls (ISA Server 2004) Most firewalls are external! What about the inside threat? Protect Intranet Servers with Intelligent Firewalls Protect Web Servers in DMZ with application protection Not only who but what is being sent to my servers Use Application layer inspection for malicious traffic

15. Application Layer Content ?????????????????????? A Traditional Firewall’s View Of A Packet Only packet headers are inspected Application layer content appears as “black box” IP Header Source Address, Dest. Address, TTL, Checksum TCP Header Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on port numbers Legitimate traffic and application layer attacks use identical ports Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Corporate Network

16. ISA Server’s View Of A Packet Packet headers and application content are inspected Application Layer Content MSNBC - MSNBC Front Page <link rel="stylesheet" IP Header Source Address, Dest. Address, TTL, Checksum TCP Header Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on content Only legitimate and allowed traffic is processed Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Corporate Network

17. Integrity = Application Layer Security Most of today’s attacks are directed against applications Examples: Mail clients (worms, Trojan horse attacks), Web browsers (malicious Java applets) Applications encapsulate traffic in HTTP traffic Examples: Peer-to-peer, instant messaging Traditional firewalls cannot determine what traffic is sent or received Dynamic port assignments require too many incoming ports to be opened Examples: FTP, RPC

18. Web Access with Integrity Stop unauthenticated access to your Intranet Portals Web Publishing Intranet Portal with ISA Server 2004 Force Authentication via Active Directory Keep out anonymous connections without load on Web Server Enforce users logon to Domain Ensure group policy and other security measures are enforced

19. Web Access with Integrity Incoming Access – Connect to Secure Point of Access Protect Web Servers in DMZ or Internal Network ISA Server 2004 - Web Publish (Reverse Proxy) Inspect Incoming Traffic via Web Filters HTTP Inspection Monitor for malicious web traffic

20. Web Access with Integrity Protect Exchange (Messaging) Servers Outlook Web Access Outlook SSL Connections – Outlook 2003/Exchange 2003 Outlook Mobile Access/ Active Sync Full RPC Filtering for Exchange Only traffic to Exchange Servers

21. Web Server Attacks Password Guessing Web Access with Integrity Authentication Unauthorized requests are blocked before they reach the Exchange server Enforces all OWA authentication methods at the firewall Provide forms-based authentication at the firewall before reaching OWA Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange server* Confidentiality Ensures encryption of traffic over the Internet at the firewall Can prevent the downloading of attachments to client computers separate from intranet users OWA Traffic SSL Tunnel Inspection Authentication Internet Exchange Server OWA Front End *Note: Full ISA inspection is not available if GZip compression is used by OWA.

22. Authentication Framework Multi-source authentication Firewall client authentication (Web Proxy) Transparent user authentication Application transparent, Protocol independent Kerberos/NTLM Web proxy authentication Proxy auth, Reverse proxy auth, Pass through auth, SSL bridging Basic, digest, NTLM, Kerberos, Certificates RADIUS authentication, SecurID authentication CRL support Extensible authentication/authorization framework

23. Web Publishing with ISA Server Using Active Directory Integrated Web Access Demo

24. The Who and How of External Access

25. Who? – External Access Who? Who is getting out of your network? Vendors – Visitors – Consultants And what are they doing? Peer to Peer File Sharing – Instant Messaging File Transfer

26. How? – External Access Leverage Active Directory: Integrated Web Proxy with ISA Server 2004 Ensure only authorized users have external access Base external access via AD groups Log access based on USER NAME and not IP Address Know your exit points to external networks How many DMZ’s? Departmental external access? Force all access through secure Web Proxies

27. How? – External Access Provides superior application-layer protection for corporate clients Enforces corporate policies Limits access to allowed sites Limits access to allowed protocols Provides for user and group based rules Lets rules apply based on schedule Partners provide easy extensibility Virus checking Web access blocking based on database of problematic sites

28. How? – External Access HTTP Filtering Flexible control over allowed content

29. Web Proxy Access with ISA Server Using Active Directory Integrated Web Proxy Demo

30. When a Web Proxy is Not Enough?

31. Web Proxy – Intelligent? Port 80 Outbound – and away we go! Peer to Peer Applications search for this Instant Messaging uses Port 80 Http How do you stop it? Web & Application Filters Search for Signatures of these applications ISA Server has built-in web/application filters Block the apps even in HTTP traffic Prevent tunneling of other protocols in http

32. When a Web Proxy is Not Enough Inspect HTTP Traffic with ISA 2004 Don’t just cache Inspect inbound web traffic Secure what leaves your network Know what leaves and who sent it!! Force all Users to logon to the Domain for External Access Log users by name

33. Leveraging Active Directory for Perimeter Defense Data and Resources Application Defenses Host Defenses Network Defenses Perimeter Defenses Perimeter Defense Protect Intranet Servers Lock Down Web Access Active Directory Integration Application Layer firewalls are becoming increasingly more important HTTP Tunneling SSL encryption Anonymous connections

34. Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.microsoft.com/communities/mvp Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers http://www.microsoft.com/communities/usergroups /default.mspx http://www.microsoft.com/communities/usergroups /default.mspx

35. Microsoft Learning Resources Come and talk to Microsoft Learning to find out more about developing your skills, you can kind us in the ‘Ask the Experts’ area Special offers on Microsoft Certification from Microsoft Learning Click here to access free Microsoft Learning Assessments http://www.microsoft.com/learning/assessment/ind/default.asp http://www.microsoft.com/learning/assessment/ind/default.asp and FREE elearning for Microsoft Visual Studio 2005 and Microsoft SQL Server 2005 with free Assessments and E-Learning http://www.microsoft.com/learning/mcp/ http://www.microsoft.com/learning/mcp/

36. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.