Windows Security

Windows Security Matthew Cookhttp://escarpment.net/

Introduction Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/ Bandwidth Management Advisory Service

Topics • Security Overview • Windows 2000/XP • Auditing • Operating System Patching • Baseline Security Analyzer • Incident Response • Useful Books, Tools and URLs • Back Office Products

Security Overview “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e-commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier

Security Overview Why bother? • Keeping control and service availability • Data Integrity (DPA) • Legal Liability • Reactive Work Loads • Bad Public Relations • Personal Responsibility

Windows 2000/XP Range of secure operating systems • Login required • ACLs can be applied to files and folders • Auditing and logging facilities • Security Templates • NTFS/EFS • IPSec and Kerberos

Windows 2000/XP • Install the OS offline • Consider partitions for: • System • User Storage • Services • Logs • Use select slipstreamed CDs • Install only required features • Install current, relevant SPs and hot fixes offline

Windows 2000/XP Ensure Windows vulnerable ports are blocked at the firewall. • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only

Auditing • Turn it on and configure it! • Use the ‘User Manager’ utility (NT) or the ‘Security Settings’ applet (W2K) to ensure the Audit Policy has been configured • Check the Event Viewer frequently • Use NTLast (Foundstone)URL: http://www.foundstone.com/ • Or ELM (TNT Software)URL: http://www.tntsoftware.com/

Operating System Patching • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows 2000.

Operating System Patching… • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Automate patch collection and installation as much as possible (QChain).

Operating System Patching… Use automated patching technology: • SUS – Microsoft Software Update Service • SMS – Microsoft Systems Management Server • Ghost – Symantec imaging software. And other application deployment software: • Lights out Distribution • Deferred installation

Baseline Security Analyzer • Freely available from Microsoft • Written by Shavlik Technologies as a direct result of Code Red attacks • A GUI to HFNetChk (v3.81) • Improved feature set • Integrated SUS functionality

Baseline Security Analyzer… MBSA v1.1 supports the following host OS: • Windows 2000 Professional / Server • Windows XP Home / Professional • Windows .NET not officially supported • Windows NT not supported as host OS • Remote scanning available

Baseline Security Analyzer… What applications does MBSA scan? • Operating system • Internet Explorer > 5.01 • Microsoft Office 2000 and 2002 • Media Player > 6.4 • Internet Information Services 4.0 and 5.0 • SQL Server 7.0 and 2000 • Exchange Server 5.5 and 2000

Baseline Security Analyzer… • MBSA will replace HFNetChk • /hf flag introduced into the CLI • mbsacli.exe /hf <hfnetchk switches> New features: • Security best practices • Strong Passwords • Security Mis-configurations • Application configurations

Incident Response What is an Incident? “Any real or suspected adverse event in relation to the security of computer systems or computer networks.” Or “The act of violating an explicit or implied security policy”

Incident Response… • Don’t Panic! • Unplug the network • Get a notebook • Back-up the system and keep the Back-ups • Restrict use of email • Look for information • Investigate the cause • Request help and assistance.

Incident Response… • Important to return to service swiftly • Do not jeopardize security • If in doubt, re-build • Perform forensics on a backup • Keep documentation and evidence • Contact RSC or CERT if investigation proves non worm/script kiddie activity.

Useful Books, Tools and URLs • Fport - Foundstone Softwarehttp://www.foundstone.com/knowledge/ • L0pht Crack - @Stakehttp://www.atstake.com/research/lc/ • Snort – Open Sourcehttp://snort.sourcefire.com/ • Nmap – Insecure.orghttp://www.insecure.org/nmap/ • Nessus – Renaud Deraisonhttp://www.nessus.org/

Useful Books, Tools and URLs • Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) • Incident Response. (Kenneth R. van Wyk, Richard Forno.) • Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) • Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)

Useful Books, Tools and URLs • Microsoft Security Websitehttp://www.microsoft.com/security/ • Computer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.html • JANET CERThttp://www.ja.net/cert/ • Bugtraq Mailing Listhttp://online.securityfocus.com/

Questions and Answers

Windows Security