Securing your data Security with Microsoft Infrastructure and Internet Explorer Matt Kestian Strategic Security Advisor | National Security Team | Microsoft

Securing your dataSecurity with Microsoft Infrastructure and Internet Explorer

Securing your dataSecurity with Microsoft Infrastructure and Internet Explorer

Matt KestianMatt KestianStrategic Security Advisor | National Security Team | Microsoft Corporation | March

11,2005

Version 1.0Version 1.0

Microsoft Confidential – NDA Material

AgendaAgenda

Some true stories…..Some true stories…..

Phishing/Malware DemonstrationPhishing/Malware DemonstrationStrategy for securely browsing with internet Strategy for securely browsing with internet explorerexplorer

Defense in DepthDefense in DepthSecuring the perimeter Securing the perimeter

Securing the networkSecuring the network

Securing the hostsSecuring the hosts

Securing applicationsSecuring applications

Securing the dataSecuring the data


True stories from the fieldTrue stories from the field

Phishing gone high techPhishing gone high tech

Bank in Latin AmericaBank in Latin America

E-mail between two companies E-mail between two companies (actually this one is personal)(actually this one is personal)

IE Security Improvements in XP SP2IE Security Improvements in XP SP2


Post XP SP2 ObservationsPost XP SP2 Observations

StrengthsStrengthsBig security investments were worthwhileBig security investments were worthwhile

Balance of app compat and security seems goodBalance of app compat and security seems good

Opportunities to ImproveOpportunities to ImproveNeeded to consider cleanup, not just protectionNeeded to consider cleanup, not just protection

Info disclosure just as important as code executionInfo disclosure just as important as code execution

Servicing IE with the OS is difficult for some Servicing IE with the OS is difficult for some customerscustomers

Configuration management – are we doing all we Configuration management – are we doing all we can?can?

Everyone wants new features – even security prosEveryone wants new features – even security pros

IE 7 will beta this summer with even more IE 7 will beta this summer with even more phishing and malware protectionphishing and malware protection


Threat ModelingThreat Modeling

SSpoofingpoofingAn unauthorized user impersonating a valid userAn unauthorized user impersonating a valid user

TTamperingamperingAn attacker illegally modifying or destroying dataAn attacker illegally modifying or destroying data

RRepudiationepudiationAbility of a user to deny performing an actionAbility of a user to deny performing an action

IInformation Disclosurenformation DisclosureReleasing information to unauthorised usersReleasing information to unauthorised users

DDenial of Serviceenial of ServiceCausing the system to be unavailable to valid usersCausing the system to be unavailable to valid users

EElevation of Privilegelevation of PrivilegeAn attacker illegally gains a higher level of accessAn attacker illegally gains a higher level of access


Web servers

Exchange front end

DNS

IDS

IDS

Exchange

Directory

Web apps

LOB apps

SMS/MOM

DNS

DirectorySQL cluster

Disk array

Desktops

[VLAN]

[VLA

N]

[VLAN]

Attack MethodologiesAttack Methodologies

11 ReconnaissanceReconnaissance - Port Scanning - Port Scanning

network mappingnetwork mapping

22 Search for known vulnerabilitiesSearch for known vulnerabilities33 Exploit the vulnerabilitiesExploit the vulnerabilities44 Take ownership – Elevate PrivilegesTake ownership – Elevate Privileges

Download hacker tools, backdoors, rootkits, etcDownload hacker tools, backdoors, rootkits, etc

55 Perform unauthorized activitiesPerform unauthorized activities

Determine other targets and attack themDetermine other targets and attack them

66 Steal the DataSteal the Data77 Cover your tracksCover your tracks

Clear Audit TrailsClear Audit Trails

XX

XX X


Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

Physical SecurityPhysical Security

PerimeterPerimeter

NetworkNetwork

HostHost

ApplicationApplication

DataData

Defense in DepthAn organizing framework for SecurityDefense in DepthAn organizing framework for Security

Layered Portfolio of CountermeasuresLayered Portfolio of Countermeasures

Reduce the chance of a single point of vulnerability Reduce the chance of a single point of vulnerability


Perimeter LayerPerimeter Layer

The Internet Branch offices Business partners Remote users Wireless

networks Internet

applications

Network perimeters include connections to:

Business Partner

Internet Services

LAN

Main Office

LAN

Internet Services

Branch Office

LAN

Wireless

Network

Remote User

Internet


Business Partner

Internet Services

LAN

Main Office

LAN

Internet Services

Branch Office

LAN

Wireless

Network

Remote User

Internet

Perimeter Layer CompromisePerimeter Layer Compromise

Attack on corporate network

Attack on remote users

Attack from business partners

Attack from a branch office

Attack on Internet services

Attack from the Internet

Network perimeter compromise may result in:


Perimeter Layer ProtectionPerimeter Layer Protection

Firewalls Blocking communication

ports Port and IP address

translation Virtual Private Networks Tunneling protocols Filter traffic- SMTP,

Spam blocking, proxy technologies

VPN quarantine

Network perimeter protection includes:

Business Partner

Internet Services

LAN

Main Office

LAN

Internet Services

Branch Office

LAN

Wireless

Network

Remote User

Internet


ISA Server 2004ISA Server 2004Application level FWApplication level FWVPN QuarantineVPN Quarantine

Sybari Antigen – Anti-Virus, Anti-Sybari Antigen – Anti-Virus, Anti-SpamSpam

LabUnmanaged guest


Network LayerNetwork Layer

Marketing

Human Resources

Finance

Sales

Wireless Network


Network Layer CompromiseNetwork Layer Compromise

Unauthorized access to systems

Sniff packets from the network

Unexpected communication

ports

Access all network traffic

Unauthorized access to wireless

networks


Security ZonesSecurity Zones

Tier RestrictionsTier Restrictions

Intra-zone Tier Intra-zone Tier Communication Communication RestrictionsRestrictions

Inter-zone Inter-zone Communication Communication RestrictionsRestrictions


Network Layer ProtectionNetwork Layer Protection

Implement mutual authentication

Segment the network (Vlan, internal FW)

Encrypt network communications

Block communication ports

Control access to network devices

Sign network packets

Multi home some servers

Implementing IPSec Policy


Host LayerHost Layer

Specific network roleSpecific network role

Operating system configurationOperating system configuration

The term “host” is used to refer to The term “host” is used to refer to both workstations and serversboth workstations and servers


Host Layer CompromiseHost Layer Compromise

Unsecured Operating

System Configuratio

n

Unmonitored Access

Exploit Operating

System Weakness

Distribute Viruses


Malicious Web Malicious Web contentcontent

Buffer overrun Buffer overrun attacksattacks

Port-based Port-based attacksattacks

Malicious e-mail Malicious e-mail attachmentsattachments

Attack VectorsAttack Vectors

Days to exploit and complexities around patching makes patching a less effective defense strategy


Windows XP Service Pack 2Windows XP Service Pack 2Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Microsoft Windows AntiSpywareMicrosoft Windows AntiSpywareSoftware Restriction PoliciesSoftware Restriction PoliciesFuture: Network Access ProtectionFuture: Network Access Protection


Manage configuration changes

Host Layer ProtectionHost Layer Protection

Harden operating system

Install security updates

Implement auditing

Disable or remove unnecessary services

Install and maintain antivirus software

Use Group Policy – implement templates XP and Server

Run AV and keep up to date

Implement IPSec for mutual authentication

Restrict anonymous access where able

Rename the admin account disable guest

Use Windows Firewall


Application LayerApplication Layer

Applications That Create and

Access Data

Server Applications (for example, Exchange Server or SQL Server)

Security issues specific to applicationsSecurity issues specific to applications

Functionality must be maintainedFunctionality must be maintained


Application Layer CompromiseApplication Layer Compromise

Loss of applicationLoss of application

Execution of malicious codeExecution of malicious code

Extreme use of applicationExtreme use of application

Unwanted use of applicationsUnwanted use of applications


Application Layer ProtectionApplication Layer Protection

Enable only required services and functionality

Configure application security settings

Install security updates for applications

Install and update antivirus software

Run applications with least privilege


Data LayerData Layer

DocumentsDirectoryApplicatio

ns


Data Layer CompromiseData Layer Compromise

DocumentsDirectory Applicatio

ns

View, Change, or

Modify Information

Interrogate Directory

Files

Replace or Modify

Application Files


Persistent information protectionPersistent information protectionNew “lockbox” business scenariosNew “lockbox” business scenariosDeployment, usability enhancementsDeployment, usability enhancements

Offline supportOffline supportFIPS complianceFIPS complianceSmartcard integrationSmartcard integrationTechnology Technology

InvestmentInvestmentss


Data Layer ProtectionData Layer Protection

Encrypt files with EFS

Secure SQL server according to SQL server security guidelines

Move files from the default location

Create data backup and recovery plans

Protect documents and e-mail with Windows Rights Management Services

Utilize NTFS Access control lists


Microsoft Baseline Security Analyzer (MBSA) v1.2Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsVirus Cleaner ToolsSystems Management Server (SMS) 2003Systems Management Server (SMS) 2003Software Update Services (SUS) SP1Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Internet Security and Acceleration (ISA) Server 2004 Standard EditionStandard EditionWindows XP Service Pack 2Windows XP Service Pack 2

Patching Technology Improvements (MSI Patching Technology Improvements (MSI 3.0)3.0)Systems Management Server 2003 SP1Systems Management Server 2003 SP1Microsoft Operations Manager 2005Microsoft Operations Manager 2005Windows malicious software removal toolWindows malicious software removal tool

Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Windows Update Services Windows Update Services ISA Server 2004 Enterprise EditionISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows Rights Management Services SP1Windows AntiSpywareWindows AntiSpywareSystem Center 2005System Center 2005Windows Server 2003 “R2”Windows Server 2003 “R2”Visual Studio 2005Visual Studio 2005

Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus

PriorPrior

H2 04H2 04

FutureFuture

20052005

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.