Microsoft Days 09 Windows 2008 Security
-
Upload
dkaya -
Category
Technology
-
view
890 -
download
4
description
Transcript of Microsoft Days 09 Windows 2008 Security
![Page 1: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/1.jpg)
IT Professionals
IT ProfessionalsKempinski Hotel Zografski Sofia
![Page 2: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/2.jpg)
IT Professionals
April 12, 2023 2
Windows Server 2008 Security Improvements
Deniz KayaMicrosoft, Cisco, Ironport, Mile2 Instructor atMCT, MCSE, CCSI, CCSP, CCNP, ICSI, ICSP, CPTS
![Page 3: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/3.jpg)
IT Professionals IT Professionals
• Windows Firewall with Advanced Security• Server and Domain Isolation• Server Core• Windows Service Hardening• Read-Only Domain Controllers• Fine-grained Password Policy• Network Access Protection
April 12, 2023 3
Agenda
![Page 4: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/4.jpg)
IT Professionals IT ProfessionalsWindows Firewall with Advanced Security
Combined firewall and IPsec management– New management tools – Windows Firewall with Advanced Security MMC
snap-in – Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent– Specify security requirements such as
authentication and encryption– Specify Active Directory computer
or user groups
Outbound filtering– Enterprise management feature –
not for consumers
Simplified protection policyreduces management overhead
![Page 5: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/5.jpg)
IT Professionals IT Professionals
Windows Firewall w/ Advanced Security
Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
![Page 6: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/6.jpg)
IT Professionals IT Professionals Server & Domain Isolation
Domain IsolationProtect managed computers from unmanaged
or rogue computers and users
Protect specific high-value servers and dataServer Isolation
![Page 7: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/7.jpg)
IT Professionals IT ProfessionalsIsolation Solution Details
Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy:
– Domain membership is required to access trusted resources.– Expands the use of supportive tools like Microsoft Systems Management Server (SMS) 2003 or
Windows Server® Update Service (WSUS).
Authentication is based on machine and user credentials:– Kerberos, X.509 certificates, NTLM version 2 (NTLMv2), NAP health certificates
Policies are enforced at the network layer by IPsec:– Uses IPsec transport mode for end-to-end security and Network Address Translation (NAT)
traversal– Packets encapsulated with Encapsulating Security Payload (ESP) or Authentication Header (AH) for
authentication and integrity – Optionally, encryption of highly sensitive network traffic
Policy Management Authentication Enforcement
![Page 8: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/8.jpg)
IT Professionals IT Professionals
Demo
Windows Firewall with Advanced Security Server & Domain Isolation
![Page 9: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/9.jpg)
IT Professionals IT ProfessionalsServer Core
Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
Windows Server Core
GUI, CLR, Shell, IE, OE, etc.
WSv
DHCP
DNS
File Print
Only a subset of the executable files and DLLs installedNo GUI interface installed9 available Server RolesCan be managed with remote tools
AD DS
AD LDS
Media
IIS 7
![Page 10: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/10.jpg)
IT Professionals IT ProfessionalsServer Core and Roles• Windows Server is frequently deployed to support a
single role or a fixed workload– Despite a fixed workload, still have to deploy and service all
of Windows Server– Services not essential to the workload have costs for
servicing, security, and management.• IT Staff and IT Skills are technology role-centric
– Active Directory Administrators don’t usually administer web servers
– Skill sets for SQL Administration are not highly transferable to DHCP administration
![Page 11: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/11.jpg)
IT Professionals IT Professionals
Service Hardening
Windows Service Hardening
• Built-in accounts for easy management– No password management
requirements– LocalSystem
• Very powerful and has most privileges – use cautiously
– LocalService and NetworkService• Greatly reduced privilege set• Network Service uses machine
account for remote authentication
Activeprotection
File system
Registry
Network
![Page 12: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/12.jpg)
IT Professionals IT Professionals
Service Hardening
• Services are attractive targets for malware– Run without user interaction– Number of critical vulnerabilities in services– Large number of services run as “System”– Worms target services
• Sasser, Blaster, CodeRed, Slammer, etc…
![Page 13: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/13.jpg)
IT Professionals IT ProfessionalsProblem: Shared Session 0• Services and user applications for console user run in the same
session (session 0)• Application windows in same session can freely send window
messages to each other.
A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging
![Page 14: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/14.jpg)
IT Professionals IT ProfessionalsSolution: Session 0 Isolation
• No More Share Session 0– Session 0 is assigned exclusively to
services and the session is made non-interactive
– User applications run in session 1 and higher
– Services are isolated from user applications to avoid attacks
14
![Page 15: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/15.jpg)
IT Professionals IT ProfessionalsProblem: Privilege issue• Services automatically gain all privileges of account
they are running in• Services cannot specify set of privileges required• Lack of granular control
over privileges– Services run with unnecessary
high privileges
Local systemService:
Disk Manager
Garbage Collector
Privileges:
Load driver
Shut Down
Back Up
![Page 16: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/16.jpg)
IT Professionals IT ProfessionalsSolution: Running With Least Privilege• Privilege stripping
– Enables a service to run with least privilege
• Use only required privileges– Express required privileges during service configuration
• SeBackupPrivilege, SeRestorePrivilege, etc.• ChangeServiceConfig2 API (sc.exe can be used as well)
– SCM computes union of all hosted service required privileges • Permanently removes unnecessary privileges from process token when service
process starts
– No privileges are added• Target account must support required privileges, e.g. a service in LocalService account
cannot get SeTCBPrivilege
![Page 17: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/17.jpg)
IT Professionals IT ProfessionalsProblem: No Service Isolation
• Services do not have their individual identity– Identity of a service is tied up with account it’s running in– E.g. When Web Server is granted access to database, Time Server also gains
access to the database
`
Web Server
Database
Account:LocalService Account:LocalService
Time Server
![Page 18: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/18.jpg)
IT Professionals IT ProfessionalsSolution: Service Isolation
• Service-specific SID– 1:1 mapping between service name and SID
– Use to ACL objects the service needs to allow access only to service-specific SID• Use ChangeServiceConfig2, sc.exe to control service SID• Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED
• Service-specific SID assigned at start time– When service process starts
• SCM adds service SIDs to process token– S-1-5-80-XXXXX-YYYYY
• SID enabled/disabled when service starts/stops
– Service SIDs are local to the machine
![Page 19: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/19.jpg)
IT Professionals IT Professionals
Network Access Restriction
– Service network restriction are implemented with per-service SIDs
– Server 2008/Vista firewall has been enhanced to support service network restriction
– Services can add firewall rule to specify communication protocol, ports and direction of the traffic• e.g. A service can add a rule to restrict its network access
on TCP port 10000 for outbound communication– Integrated firewall in Vista/Server2008 will block all
other type of network access
19
![Page 20: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/20.jpg)
IT Professionals IT Professionals
Read-Only Domain Controller
Main Office Branch Office
FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation
BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed
RODC
![Page 21: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/21.jpg)
IT Professionals IT ProfessionalsSo how can we deploy a Domain Controller in this environment?!
![Page 22: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/22.jpg)
IT Professionals IT Professionals
RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion
Admin Role Separation
Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC
Passwords not cached by-default
No replication from RODC to Full-DC
1-Way Replication
Attack on RODC does not propagate to the AD
RO
D C
Read-Only Domain Controller
![Page 23: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/23.jpg)
IT Professionals IT ProfessionalsRODC – Attacker “experience”
Let’s intercept Domain Admin credentials sent
to this RODC
With Admin role separation, the Domain Admin
doesn’t need to log-in to me.
Let’s steal this RODC
By default I do not have any secrets
cached.I do not hold any
custom app specific attributes either.
Let’s tamper data on this
RODC and use its identity
I have a Read-Only database. Also, no
other DC in the enterprise
replicates data from me.
Damn!
Attacker RODC
RO
D C
![Page 24: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/24.jpg)
IT Professionals IT ProfessionalsRead-Only Domain ControllerHow it works?
2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated
1.Logon request sent to RODC
1
2
34
5
6
6
7
7
BranchHUBFull DC RODC
![Page 25: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/25.jpg)
IT Professionals IT ProfessionalsRead-Only Domain ControllerRecommended Deployment Models
• No accounts cached (default)– Pro: Most secure, still provides fast authentication and
policy processing– Con: No offline access for anyone
• Most accounts cached– Pro: Ease of password management. Manageability
improvements of RODC and not security. – Con: More passwords potentially exposed to RODC
• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and
maximizes security for other– Con: Fine grained administration is new task
![Page 26: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/26.jpg)
IT Professionals IT Professionals
Demo
Read-Only Domain Controllers
![Page 27: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/27.jpg)
IT Professionals IT ProfessionalsFine-Grained Password PoliciesOverview
• Granular administration of password and lockout policies within a domain
• Usage Examples:–Administrators
• Strict setting (passwords expire every 14 days)
–Service accounts• Moderate settings (passwords expire every 31 days, minimum
password length 32 characters)
–Average User• “light” setting (passwords expire every 90 days)
![Page 28: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/28.jpg)
IT Professionals IT ProfessionalsFine-Grained Password PoliciesAt a glance
• Policies can be applied to:–Users–Global security groups
• Does NOT apply to: –Computer objects–Organizational Units
• Multiple policies can be associated with the user, but only one applies
![Page 29: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/29.jpg)
IT Professionals IT Professionals
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 20
Applies To Resultant
PSO = PSO1
Fine-Grained Password PoliciesExample
Precedence = 10
Resultant PSO = PSO1
Applies To
Applies To
![Page 30: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/30.jpg)
IT Professionals IT Professionals
1
RemediationServers
Example: Patch
Using Network Access Protection
RestrictedNetwork
1
WindowsClient
2
2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
3
3 Network Policy Server (NPS) validates against IT-defined health policy
4
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy compliant
5 If policy compliant, client is granted full access to corporate network
Policy compliant
NPSDHCP, VPN
Switch/Router
4
Policy Serverssuch as: Patch, AV
Corporate Network5
Client requests access to network and presents current health state
![Page 31: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/31.jpg)
IT Professionals IT ProfessionalsNAP - Enforcement OptionsEnforcement Healthy Client Unhealthy Client
DHCP Full IP address given, full access Restricted set of routes
VPN (MS and 3rd Party) Full access Restricted VLAN
802.1X Full access Restricted VLAN
IPsec
Can communicate with any trusted peer
Healthy peers reject connection requests from unhealthy systems
Complements layer 2 protectionWorks with existing servers and
infrastructureFlexible isolation
![Page 32: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/32.jpg)
IT Professionals IT Professionals
Accessing the networkX
DHCP
Remediation Server
NPS
May I have a DHCP address?
Here you go.
HealthRegistration
Authority
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.
You don’t get a health certificate. Go fix up.
I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Client
IPsec-based NAP Walk-throughQuarantine
Zone
BoundaryZone
ProtectedZone
![Page 33: Microsoft Days 09 Windows 2008 Security](https://reader036.fdocuments.in/reader036/viewer/2022081507/554fb5bbb4c90586258b544e/html5/thumbnails/33.jpg)
IT Professionals IT Professionals
Thank you !