SEC302Windows Server 2003 Security Enhancements

Ben SmithBen SmithSenior Security StrategistSenior Security StrategistMicrosoft CorporationMicrosoft Corporation

AgendaWhat We Did DifferentlyWhat We Did Differently

Security Enhancements in Windows Server 2003Security Enhancements in Windows Server 2003

IIS 6.0 Re-architectureIIS 6.0 Re-architecture

Changes with PermissionsChanges with Permissions

System ServicesSystem Services

Enhancements to IPSec Enhancements to IPSec

All new:All new: Network Access Quarantine Network Access Quarantine

Software Restriction PoliciesSoftware Restriction Policies

Windows Server 2003 Security GuidanceWindows Server 2003 Security Guidance

What’s coming…What’s coming…

Secure by DeploymentSecure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum 7 Microsoft Official Curriculum

courses available at launchcourses available at launch Official security configuration Official security configuration

guidesguides Integrated security toolsIntegrated security tools

Secure by DeploymentSecure by Deployment New patch management tools New patch management tools 7 Microsoft Official Curriculum 7 Microsoft Official Curriculum

courses available at launchcourses available at launch Official security configuration Official security configuration

guidesguides Integrated security toolsIntegrated security tools

Secure by DesignSecure by Design Mandatory training Mandatory training Built threat modelsBuilt threat models Conducted code reviews and Conducted code reviews and

penetration testingpenetration testing Used automated code toolsUsed automated code tools Redesigned IIS 6.0 architectureRedesigned IIS 6.0 architecture

Secure by DesignSecure by Design Mandatory training Mandatory training Built threat modelsBuilt threat models Conducted code reviews and Conducted code reviews and

penetration testingpenetration testing Used automated code toolsUsed automated code tools Redesigned IIS 6.0 architectureRedesigned IIS 6.0 architecture

Secure by DefaultSecure by Default 60% less attack surface area by 60% less attack surface area by

default compared to Windows default compared to Windows NT 4.0 SP3NT 4.0 SP3

20+ services changed to be off 20+ services changed to be off by defaultby default

Service install in a secure state Service install in a secure state (IIS 6.0 Lockdown) (IIS 6.0 Lockdown)

Secure by DefaultSecure by Default 60% less attack surface area by 60% less attack surface area by

default compared to Windows default compared to Windows NT 4.0 SP3NT 4.0 SP3

20+ services changed to be off 20+ services changed to be off by defaultby default

Service install in a secure state Service install in a secure state (IIS 6.0 Lockdown) (IIS 6.0 Lockdown)

The Security Framework: SD3+C

CommunicationsCommunications Writing Secure Code 2.0Writing Secure Code 2.0 Architecture webcastsArchitecture webcasts

CommunicationsCommunications Writing Secure Code 2.0Writing Secure Code 2.0 Architecture webcastsArchitecture webcasts

Security in Active Directory Cross-Forest TrustsCross-Forest Trusts

Enables Administrators to create external forest-to-forest Enables Administrators to create external forest-to-forest truststrusts

Cross-Forest AuthenticationCross-Forest Authentication Enables secure access to resources when the user Enables secure access to resources when the user account is in one forest and the computer account is in account is in one forest and the computer account is in another forest. another forest.

Cross-Forest AuthorizationCross-Forest AuthorizationEnables administrators to select users and groups from Enables administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. trusted forests for inclusion in local groups or ACLs.

IAS and Cross-Forest AuthenticationIAS and Cross-Forest AuthenticationIf Active Directory forests are in cross-forest mode with If Active Directory forests are in cross-forest mode with two-way trusts, then IAS/RADIUS can authenticate the two-way trusts, then IAS/RADIUS can authenticate the user account in the other forestuser account in the other forest

PKI Enhancements

Cross–Certification SupportCross–Certification Support

Role separationRole separation

Custom Certificate Templates (Version 2)Custom Certificate Templates (Version 2)

Delta CRLsDelta CRLs

Key Archival/RecoveryKey Archival/Recovery

Auto-enrollmentAuto-enrollment

Auditing of admin operationsAuditing of admin operations

See: Windows Server 2003 PKI Operations GuideSee: Windows Server 2003 PKI Operations Guide

http://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws03pkog.aspwindowsserver2003/maintain/operate/ws03pkog.asp

Miscellaneous EnhancementsDLL search order priority changed from working directory to \windows\system32

AES-256-bit encryption default in EFS

Everyone group no longer includes anonymous users (Users and Guests)

Accounts with blank passwords are console-bound

Protected EAP (PEAP)

Detailed security auditing

RRAS Basic Firewall

Miscellaneous Enhancements

IIS 6.0 Lockdown modeIIS 6.0 Lockdown mode

IIS Re-architectureIIS Re-architecture

Authorization Manager (AuthMan)Authorization Manager (AuthMan)

Credential Manager (CredMan)Credential Manager (CredMan)

Constrained DelegationConstrained Delegation

.Net Framework 1.1 Code Access .Net Framework 1.1 Code Access SecuritySecurity

Administrator password complexityAdministrator password complexity

Screen saver timeoutScreen saver timeout

Miscellaneous Enhancements

Account Logon auditing enabled by defaultAccount Logon auditing enabled by defaultAnonymous access restricted to:Anonymous access restricted to:

SAMSAMNamed PipesNamed PipesSharesShares

Remote registry decoupled from Server Remote registry decoupled from Server serviceserviceNTLM Compatibility blocks LM from the wireNTLM Compatibility blocks LM from the wireIE Lockdown IE Lockdown Terminal Server rights controlTerminal Server rights controlDPAPI IntegrationDPAPI IntegrationGreatly improved Help file Greatly improved Help file for securityfor security

IIS 5 Request Processing

Kernel modeKernel mode

User modeUser mode

MetabaseMetabase

INETINFO.exeINETINFO.exe

RequestRequest ResponseResponse

DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe

DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe

TCP/IP

XX

XXFTPFTPFTPFTP

NNTPNNTPNNTPNNTP

SMTPSMTPSMTPSMTP

AFD

WinSock

IIS 6.0 Request Processing

AdministrationAdministration& &

MonitoringMonitoring

AdministrationAdministration& &

MonitoringMonitoring

WWW ServiceWWW Service

HTTPHTTPHTTPHTTPCacheCacheCacheCacheQueueQueueQueueQueue

Kernel modeKernel mode

User modeUser mode

XMLXMLMetabaseMetabase

InetinfoInetinfo

FTPFTPFTPFTP

NNTPNNTPNNTPNNTP

SMTPSMTPSMTPSMTP

IIS 6.0IIS 6.0

RequestRequest ResponseResponse

Application Pools

……XX

TCP/IP

Detailed Security Detailed Security AuditingAuditing

exampleexample

The Security The Security Framework at MicrosoftFramework at Microsoft

(Yes – the same old video (Yes – the same old video you have seen before)you have seen before)

STOPThere is no time for this!There is no time for this!

This is a level 300 sessionThis is a level 300 session

The Security The Security Framework Framework

at Microsoftat Microsoft

videovideo

PermissionsDefault NFTS permissions locked down

Was: Everyone Full Control

Now: Everyone, Read and Execute (Root only)

Users Read and Execute, Create Folder, Create File

SYSTEM, Creator, Administrators Full Control

Default share permissionsWas: Everyone Full Control

Now: Everyone Read

New Features:Effective Permissions Tool

Replace Owner through GUI

PermissionsPermissions

Seeing is believing!Seeing is believing!

quick demoquick demo

What do all of these services have in common? AlerterAlerter ClipbookClipbook Distributed Link Tracking (Server)Distributed Link Tracking (Server) Imapi CDROM Burning ServiceImapi CDROM Burning Service Human Interface DevicesHuman Interface Devices ICS/ICFICS/ICF Intersite MessagingIntersite Messaging KDCKDC License Logging ManagerLicense Logging Manager Terminal Server Discovery Service Terminal Server Discovery Service Windows Image AcquisitionWindows Image Acquisition

MessengerMessenger NetMeetingNetMeeting NetDDENetDDE NetDDE DSDMNetDDE DSDM RRASRRAS TelnetTelnet ThemesThemes WebClientWebClient Windows AudioWindows Audio

Startup = DisabledStartup = Disabled

System Service Accounts

Local Service and Network ServiceLocal Service and Network ServiceNo password to manageNo password to manageRuns with only slightly more permissions than Authenticated Runs with only slightly more permissions than Authenticated

UserUser Local Service cannot authenticate across the network, Local Service cannot authenticate across the network,

Network Service authenticates as the computer accountNetwork Service authenticates as the computer account

Local Service and Network ServiceLocal Service and Network ServiceNo password to manageNo password to manageRuns with only slightly more permissions than Authenticated Runs with only slightly more permissions than Authenticated

UserUser Local Service cannot authenticate across the network, Local Service cannot authenticate across the network,

Network Service authenticates as the computer accountNetwork Service authenticates as the computer account

Local SystemLocal System No password to manageNo password to manage Bypasses security checksBypasses security checks

User AccountsUser AccountsRun with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secretStores password as an LSA secretCan be complex to configureCan be complex to configure

Local SystemLocal System No password to manageNo password to manage Bypasses security checksBypasses security checks

User AccountsUser AccountsRun with less privilege than Local System Run with less privilege than Local System Stores password as an LSA secretStores password as an LSA secretCan be complex to configureCan be complex to configure

Enumerating Enumerating Services with WMICServices with WMIC

quick demoquick demo

What’s New with IPSec?ManagementManagement IP Security Monitor IP Security Monitor Command-line management with NetshCommand-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration

ManagementManagement IP Security Monitor IP Security Monitor Command-line management with NetshCommand-line management with Netsh Logical addresses for local IP configuration Logical addresses for local IP configuration

SecuritySecurity Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup securityComputer startup security Persistent policy for enhanced securityPersistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handlingBetter default exemption handling

SecuritySecurity Stronger cryptographic master key (Diffie-Hellman) Stronger cryptographic master key (Diffie-Hellman) Computer startup securityComputer startup security Persistent policy for enhanced securityPersistent policy for enhanced security Ability to exclude the name of the CA from certificate requests Ability to exclude the name of the CA from certificate requests Better default exemption handlingBetter default exemption handling

InteroperabilityInteroperability IPSec functionality over network address translation (NAT)IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load BalancingImproved IPSec integration with Network Load Balancing

InteroperabilityInteroperability IPSec functionality over network address translation (NAT)IPSec functionality over network address translation (NAT) Improved IPSec integration with Network Load BalancingImproved IPSec integration with Network Load Balancing

Default Exempt Rules in IPSecStored in the registry value:HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt

NoDefaultExempt values 0 1 2 3

RSVPRSVP

IKEIKE

KerberosKerberos

MulticastMulticast

BroadcastBroadcast

IKE IKE

MulticastMulticast

BroadcastBroadcast

RSVPRSVP

IKEIKE

KerberosKerberos

IKEIKE

RSVPRSVP

IKEIKE

KerberosKerberos

MulticastMulticast

BroadcastBroadcast

IKE IKE

MulticastMulticast

BroadcastBroadcast

XX XX

Managing IPSec with NetshManaging IPSec with NetshOptions not available through the UI:Options not available through the UI:

Configure default exemptionsConfigure default exemptions

Enable CRL checking Enable CRL checking

Enable IKE logging Enable IKE logging

Enable IPsec driver dynamic logging Enable IPsec driver dynamic logging

Enable persistent policyEnable persistent policy

Configure startup exemptionsConfigure startup exemptions

demodemo

Network Access Network Access Quarantine for RRASQuarantine for RRAS

announcing…announcing…

What is Network Access Quarantine?

RAS client meets RAS client meets Quarantine policiesQuarantine policies

RAS client RAS client gets full gets full

access to access to networknetwork

RAS client RAS client disconnecteddisconnected

1.1. RAS client fails RAS client fails policy checkpolicy check

2.2. Quarantine timeout Quarantine timeout ReachedReached

RAS client placed in RAS client placed in QuarantineQuarantine

Remote access Remote access client authenticatesclient authenticates

What are policy rules?Quarantine policy rules are configurable, Quarantine policy rules are configurable, common rules may include:common rules may include:

Service packs or the latest hotfixes installedService packs or the latest hotfixes installed

Antivirus software installedAntivirus software installed

Antivirus signature files updatedAntivirus signature files updated

Routing disabled on RAS clientRouting disabled on RAS client

Internet Connection Firewall enabled Internet Connection Firewall enabled

A password-protected screensaver enabledA password-protected screensaver enabled

Quarantine Architecture

CM ProfileCM Profile• Runs customizableRuns customizable

post connect scriptpost connect script• Script runs RQC Script runs RQC

notifiernotifierwith “results with “results string”string”

ListenerListener• RQS receives NotifierRQS receives Notifier

“results string”“results string”• Compares results toCompares results to

possible resultspossible results• Removes time-out ifRemoves time-out if

response received butresponse received butclient out of dateclient out of date

• Removes quarantine filterRemoves quarantine filterif client up to dateif client up to date

Quarantine VSAsQuarantine VSAs• Timer limits timeTimer limits time

window to receive window to receive notify before auto notify before auto disconnectdisconnect

• Q-filter sets Q-filter sets temporary route temporary route filter to quarantine filter to quarantine accessaccess

Internet

RAS ClientRAS Client RRAS ServerRRAS Server

IAS IAS ServerServer

QuarantineQuarantine

RQC.exe and RQS.exe are in the Windows RQC.exe and RQS.exe are in the Windows Server 2003 Resource KitServer 2003 Resource Kit

Detailed Quarantine Process

ConnectConnect

AuthenticateAuthenticate

AuthorizeAuthorizeQuarantine VSAQuarantine VSA+ Normal Filters+ Normal Filters

Policy CheckPolicy CheckResultResult

Remove QuarantineRemove Quarantine

QuarantineQuarantineAccessAccess

Full AccessFull Access

InternetRAS ClientRAS Client

RRAS ServerRRAS Server IAS ServerIAS Server

QuarantineQuarantine

Software Restriction PoliciesTwo modes: Disallowed, Unrestricted

Control executable code:

.ADE .ADP .BAS .BAT .CHM .CMD .CPL .CRT .EXE .HLP .HTA .INF

.INS .ISP .JS .JSE .LNK .MDB .MDE .MSC .MSI .MSP .MST .PCD

.PIF .REG .SCR .SCT .SHS .URL .VB .VBE .VBS .WSC .WSF .WSH

What SRP do not protect against

Drivers or other kernel mode softwareCannot protect against SYSTEM

Any program run by the SYSTEM account.Cannot protect against SYSTEM

Macros inside of Microsoft Office 2000 or Office XP documents

Use Macro security settings

Programs written for the common language runtime.

These programs use the Code Access Security

Types of SRP Rules

Path RulePath Rule Compares path of file being Compares path of file being

run to an allowed path listrun to an allowed path list Use when you have a folder Use when you have a folder

with many files for the same with many files for the same applicationapplication

Essential in when SRPs are Essential in when SRPs are strictstrict

Path RulePath Rule Compares path of file being Compares path of file being

run to an allowed path listrun to an allowed path list Use when you have a folder Use when you have a folder

with many files for the same with many files for the same applicationapplication

Essential in when SRPs are Essential in when SRPs are strictstrict

Hash RuleHash Rule Compares the MD5 or SHA1 Compares the MD5 or SHA1

hash of a file to the one hash of a file to the one attempted to be runattempted to be run

Use when you want to Use when you want to allow/prohibit a certain version allow/prohibit a certain version of a file from being runof a file from being run

Hash RuleHash Rule Compares the MD5 or SHA1 Compares the MD5 or SHA1

hash of a file to the one hash of a file to the one attempted to be runattempted to be run

Use when you want to Use when you want to allow/prohibit a certain version allow/prohibit a certain version of a file from being runof a file from being run

Certificate RuleCertificate Rule

Checks for digital signature on Checks for digital signature on application (i.e. Authenticode)application (i.e. Authenticode)

Use when you want to restrict Use when you want to restrict both win32 applications and both win32 applications and ActiveX contentActiveX content

Certificate RuleCertificate Rule

Checks for digital signature on Checks for digital signature on application (i.e. Authenticode)application (i.e. Authenticode)

Use when you want to restrict Use when you want to restrict both win32 applications and both win32 applications and ActiveX contentActiveX content

Internet Zone RuleInternet Zone Rule Controls how Internet Zones Controls how Internet Zones

can be accessedcan be accessed Use when in high security Use when in high security

environments to control environments to control access to web applicationsaccess to web applications

Internet Zone RuleInternet Zone Rule Controls how Internet Zones Controls how Internet Zones

can be accessedcan be accessed Use when in high security Use when in high security

environments to control environments to control access to web applicationsaccess to web applications

Rule PrecedenceWhat happens when multiple rules match a program?

Trying to run Windows Calculatorc:\winnt Unrestricted

A6A44A0E8A76C7B2174DE68C5B0F724D:114688:32771 Disallowed

c:\winnt\system32\calc.exe Disallowed

Most specific matching rule wins:1. Hash rule

2. Certificate rule

3. Path rule

4. Zone rule

How to Develop Policies?

List allowed applicationsStart them up

Consult system info (msinfo32.exe)Software Environment → Running Tasks

Software Environment → Loaded Modules

Software Environment → Startup Programs

Create Rules

Refine RulesGeneralize rules

C:\winnt → %WINDIR%

C:\app\dir1, c:\app\dir2 → c:\app

Policy Gotchas

Make sure you include the following:Some programs consist of many EXE’s

Powerpnt.exe (clip art launches mstore.exe)

Login Scripts

Startup folders and registry keys

Anti-virus

Program Add-ins

Have you allowed too much?

Check ACL’s

Software Restriction Policies Software Restriction Policies

demodemo

Windows Server 2003 Security Configuration Guide

Windows Server 2003 Security Guide

http://go.microsoft.com/fwlink/?LinkId=14846

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

http://go.microsoft.com/fwlink/?LinkId=15160

“We commend Microsoft for providing enhanced security guidance to its customers as well as for soliciting user input as part of the process of producing that guidance“

Clint Kreitner

President/CEO

“NIST reviewed and provided technical comments & advice, that was incorporated in this guidance”

Timothy Grance

Manager

Systems and Network Security Group

commentscomments

Keep an eye out for…

Security Configuration Wizard (SCW) The SCW will help administrators maximize the security of servers with common roles without sacrificing required functionality. Administrators can use the Security Configuration Wizard in SCE to construct security policies for their different types of servers, and perform Lockdown Testing to verify that systems function as expected.

Microsoft Audit Collection Services (MACS) MACS is a tool to monitor and audit systems in a centralized manner. MACS collects security events in a compressed, signed, encrypted manner and loads the events into a SQL database for analysis.

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

TodayTodayMicrosoftMicrosoft®® Windows Windows®® Security Security Resource KitResource Kit

Writing Secure Code 2Writing Secure Code 2TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

Quarantine Whitepaper:Quarantine Whitepaper:

Network Access Quarantine Whitepaper:Network Access Quarantine Whitepaper:http://www.microsoft.com/windowsserver2003/techinfo/overview/http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspxquarantine.mspx

Software Restriction PolicySoftware Restriction Policyhttp://www.microsoft.com/windows2000/technologies/security/redir-http://www.microsoft.com/windows2000/technologies/security/redir-wnetsafer.aspwnetsafer.asp

Windows Server 2003 Resource Kit Tools Download:Windows Server 2003 Resource Kit Tools Download:http://go.microsoft.com/fwlink/?LinkId=4544http://go.microsoft.com/fwlink/?LinkId=4544

appendix. . .appendix. . .

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.