微淘公眾平臺推廣營銷方法詳解

1、Securing Windows NetworksSecurity Advice From The Front LinePresented by Robert Hensing PSS Security Incident Response Specialist微快車微信營銷 AgendaRevealing Hacker PersonasTop Security Mistakes Everyone Seems To MakeSecuring Windows NetworksStaying SecureSecure Windows InitiativeSecurity Improvements in

2、 XP Service Pack 2Revealing Hacker PersonasOverview Revealing Hackers PersonasAutomated vs. Targeted AttacksRevealing Hacker PersonasLameSkilledSophisticatedWhy YOU Were Selected and How You Got 0wn3dHacker PersonasAutomated Attacks“Spreaders” or “Scann Sploit Tools” or “auto-rooters”Worms That Drop

3、 Bots or TrojansTargeted Attacks0-day ExploitsCustom Attacks that Exploit Weakness of Your Internet PresenceHacker PersonasLame - 75% of all intrusionsMotive: Wants your storage and bandwidthMethod: Use of spreaders, bots, well known exploitsAbilities: Limited high level language abilityPayload: Usu

4、ally , backdoors disguised as a clever service name“TCP/IP” service or “System Security” service“Microsoft ISA Server Common Files” serviceHacker PersonasSkilled - 24% of all intrusions?Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as poss

5、ible.Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applicationsAbilities: Advanced HLL, some ASMPayload: , keyloggers, backdoors, sniffers, password dumpersHacker PersonasSophisticated - 1% of all intrusions?Motive: Wants your money or your secret

6、 / confidential dataMethod: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploitsAbilities: Advanced HLL, Advanced ASMPayload: Rootkits, a single backdoor DLL, extortion letter!Hacker PersonasWhy y

7、ou were selected and how you got 0wn3d . . . Odds are great you were 0wn3d by a lamerYou were easily identified as a Windows host through a simple port-scan (no firewall)You are on a big fat pipe (possibly hosted)You have weak passwords or missing security patches due to missing or ineffective secur

8、ity policyDemonstrationWindows Rootkit Hacker DefenderTop Security Mistakes Everyone Seems To MakeTop Security MistakesWeak or non-existent password policyNo audit policySporadic security patch policyPatching the OS, but not the appsWeak or non-existent firewall policyNo egress filteringNo knowledge

9、 of securely building a new box which leads toHacked? Rebuild! Hacked Again!?How To End The Cycle of ViolenceInstall from slipstreamed sourceDont have one? Make one!Patch or enable a host based firewall (or both) and then connect to the networkDont use the previous admin passwordIncluding the SQL SA

10、 passwordDont share local admin passwords across OS installationsLeads to exploit once, run everywherePatch the applications (SQL, IIS, Exchange etc.)Securing Windows NetworksOverview Securing Windows NetworksSystem Administrator PersonasAn example of what not to doThreats & Countermeasures Pruning

11、The Low Hanging FruitSystem Admin PersonasDefaultSkilledSophisticatedSystem Admin PersonasDefaultPuts servers right on the Internet with no firewallRuns a couple service packs behind (N-2) and doesnt know how to keep up to date with security patchesNo password policyNo audit policyAll default config

12、urations and settings (all defaults, all the time)System Admin PersonasSkilledUses Internet IPs, but has router ACLsLatest OS SP, all OS critical updates, hasnt patched the applications in a while if at all6 character passwords with account lockoutsOnly audits logon events and monitors for account l

13、ockouts by checking event logs periodicallySuspicious of default settingsPerformed some OS hardening by hand didnt harden the applications thoughSystem Admin PersonasSophisticatedUses a firewall with NAT and ingress / egress filteringUses an IDS / IPS in the DMZ networkEnsures critical security patc

14、hes tested and deployed in 24 hours with rollback plan12 character passwords, not shared anywhere, no account lockout, may use 2-factor authNAudits everything, archives audit logs dailyHardened OS using security templates / group policy, hardened applicationsWhat Not To Do . . .Configure your system

15、 with an Internet routable IP addressRun multiple applications / services on one boxActive Directory, IIS, SQL, Exchange, PCAnywhere, 3rd party softwareAvoid installing patchesDont have a password policyWhat are the odds that someone would guess 666 is my admin password?If you do this, heres what th

16、e hackers see . . .Threats Low Hanging FruitOverviewNULL Session EnumerationPassword / Account Lockout AttacksPassword Hash AttacksRemote Code Execution VulnerabilitiesPhysical AttacksUnauthorized Network AccessThe VPN “firewall bypass” ServerThreat - NULL Session EnumerationUnderstanding the NULL u

17、serNetwork connection, usually using NetBIOS TCP139 in which no credentials have been passed.Network token gets created on the server for the client, Everyone SID gets added to the tokenToken can now enumerate sensitive information using the Net* APIs the Everyone SID has permissions to!Countermeasu

18、resRestrictAnonymous=2Block access to TCP 139/445Stop server serviceThreat Password Attacks / Account Lockout AttacksAny services that exposes authN protocols are at risk for password guessing attacksNetBIOS, SMB, RDP, IIS, .CountermeasuresUse strong passwords instead of an account lockout policy (w

19、hich only protects weak passwords)Educate administrators and users on how to create strong passwords.Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policyShutdown un-needed services (Server service, etc.)Threat P

20、assword Hash AttacksOnline attacksDumping password hashes from LSASS while the operating system is runningPwdump*.exe, L0phtCrack 5CountermeasureRequire 2-factor authenticationPrevent malicious code from running in context of administrator or SYSTEMSince this attack requires elevated privileges, any

21、 steps taken to counter this can be un-done by the code running with these elevated privilegesArriving at this point means your security posture has failed elsewhere and you have other security issues to deal withThreat Password Hash AttacksMan In the Middle AttacksSniffing shared-secret authenticat

22、ion exchanges based on a users password between client / server (LM, NTLMv2, Kerberos)Everyone seems to think Kerberos solved the MITM password-cracking attack!It did not, per the Kerberos v5 RFC:Password guessing attacks are not solved by Kerberos. If a user chooses a poor password, it is possible

23、for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the users password. Threat Password Hash AttacksMan In the Middle AttacksTools available f

24、or LM/NTLM and Kerberos v5ScoopLM / BeatLM / Kerbcrack / LC5Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002!All researchers agree the solution is strong passwords!CountermeasuresUse 2-factor authentication on Windows 2000 and later networksAllows the use of the P

25、KINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logonUse strong 10 character or greater passwordsUse IPSec ESP to encrypt network all network trafficUse 802.1x authentication to keep rogue users off your networkThreat Password Hash AttacksAssume password

26、 hashes will eventually be obtained allowingBrute-force attacksDictionary attacksHybrid attacks (use a dictionary word then brute-force a few chars)Pre-computation attacks (rainbow tables) the latest craze . . .L0phtCrack5 utilizes all these methods for cracking hashesCountermeasuresDont worry about

27、 your hashes being stolen make them immune to reversing in any reasonable amount of time!Use 10 character or stronger complex passwordsOr better yet pass-phrases!NT based operating systems support 128 character pass-phrasesChange them every 60 days or less.Minimum time before password can be changed

28、 1 dayNumber of previous passwords remembered: at least 24Threat Password Hash Attacks667891011Password Length60 Day PasswordsData from Microsoft calculations based on Phillipe Ochslins algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).Threat Password

29、 Hash AttacksThreat - Remote Code ExecutionRCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote systemStack & Heap overflowsInteger under/overflowsFormat string vulnerabilitiesCountermeasuresDisable unnecessary servicesBlock unnecessary po

30、rtsInstall all critical security updates within 24 hoursWrite secure code. Run critical services using the new built-in low-privileged accountsCompile C+ code with the VC7 compiler /GS switchUse behavioral blocking softwareSana Security ProductsUse Intrusion Prevention SystemsThreat Physical Attacks

31、Assume the worst physical theft of machineCountermeasuresSYSKEY in mode 2 or 3Key stored in your head (mode 2)Key stored on a floppy (mode 3)Protects password hashes with 128 bit symmetric encryptionEither mode prevents Nordahl boot-disk attackAlso prevents the DS Restore mode style attacksEFSCan be

32、 used to encrypt sensitive informationThreat Unauthorized Network AccessApplies to both wired and wireless networksUnauthorized user connects or associates with network and receives IP addressStarts scanning, enumerating and hackingCountermeasureUse 802.1x to authenticate network clients before allo

33、wing them to use the networkPort-based authentication (requires supporting hardware infrastructure)Threat VPN ServersVPN servers usually allow users un-filtered access to the corporate intranetUsers contaminate the intranet with malware theyve collected while surfing the Internet (worms, etc.)Counte

34、rmeasureEmploy a network quarantine solutionQuarantines VPN users in a DMZ network while machine is checked for security policy complianceAfter machine checks, packets are routedIf machine fails check, connection is droppedCountermeasures - SummaryThe vast majority of security threats can be fully m

35、itigated by doing two things well:PasswordsSecurity updatesSecurity should not be bolted onDesign security into the solution from the beginningMicrosoft Solutions for SecurityReview the new Security Guidance CenterWindows 2000 Security Hardening GuideWindows 2000 Solution for Securing Windows 2000 S

36、erver Windows Server 2003 Security Guide Covers environments running Win9x and later!This is our best solution for securing Windows networks!Windows Server 2003 Security GuideThemeGroup Policy can be used to automate the application of security hardening and threat countermeasures through the use of

37、 pre-defined security templates applied to GPOsAutomated policy applied as machines join the domain / moved into organizational unitsThe Windows 2000 and Windows Server 2003 Solutions for Security come with pre-configured ready to deploy templatesObviously you should test them before deploying them

38、in a production environmentThey WILL break somethingWindows Server 2003 Security GuideProvides 3 different security levels for the enterpriseLegacy Client (Compatible with Win9x XP)Enterprise Client (Compatible with 2000 & XP only)High Security Client (Compatible with 2000 & XP only)DemonstrationSec

39、uring Windows Servers using Group PolicyStaying SecureOverview Staying SecureAwarenessSecurity Alert Notification ServicesVulnerability AssessmentResponding to Security EventsPatch Warfare Thursday, Tutorial 6Incident Response Thursday, Tutorial 6Staying SecureSecurity Alert Notification ServiceGet

40、e-mail alerts of Microsoft security bulletins for all Microsoft productsPlain-text e-mail, PGP signed with the MSRC PGP key Staying SecureVulnerability AssessmentMicrosoft Baseline Security Analyzer 1.2Local or Remote Vulnerability & Patch scannerScans for Windows, IE, IIS, SQL, MSDE, Exchange, Offi

41、ce, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches.English, German, French or Japanese builds!Staying SecureMBSA Pros and ConsProsFreeGreat product coverageAgent-lessConsRequires Authentication with remote machine and the Remote Registry and Server ServicesSlow when scanning large network

42、sNo easy way to aggregate XML outputStaying Secure3rd Party vulnerability assessment softwareISS Internet Scanner System ScannerFoundstone FoundScanMuch more in-depth than MBSA 1.2Secure Windows InitiativeSecure Windows InitiativeMicrosofts New Security CultureStarted with Bill Gates Trustworthy Com

43、puting MemoLead to SD3+CSecure By Design, Secure By Default, Secure in Deployment + CommunicationsSecure Windows Initiative Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASRs)Secure by Default60% less attack surface area by default compared to Win

44、dows NT 4.0 SP3Services off by defaultServices run at lower privilegeCode reviewsIIS re-architectureThreat models$200M investmentSecure by DesignCommunicationsSecure by DesignCode reviewsIIS re-architectureThreat models$200M investmentSecure in DeploymentConfiguration automationIdentity managementMo

45、nitoring infrastructurePrescriptive guidanceCommunity investmentArchitecture webcastsWriting Secure Code 2.0Secure Windows Initiative SD3+CSecure Windows InitiativeDoes SWI work? Lets have a look . . .MS03-007, vulnerability exploited through IIS 5.0 + WebDAVWS2003 / IIS 6 not affected because:IIS6

46、not installed by defaultIf it was installed, WebDAV disabled by defaultIf it was enabled, IIS6 rejects long URLs by defaultIf it didnt reject long URLs, BO would occur in low privilege process not a process running as SYSTEMSecure Windows InitiativeAre there other examples?MS04-011, fixes 14 Windows

47、 vulnerabilitiesOf these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!Secure Windows InitiativeThese vulnerabilities were rated as Low on Windows Server 2003 why?Attack Surface Reductions (ASRs) as a

48、 result of SWIPCT is not enabled by default!LSASS vulnerability not remotely exploitable by default!Secure Windows InitiativeWant more? Coming soon:Secure Server Roles for Windows Server 2003Task based security wizard to further automate hardening WS2003 server rolesWindows XP Service Pack 2The most

49、 secure consumer operating system to date!Security Improvements in XP Service Pack 2Security Improvements in XP SP2OverviewNetwork Protection TechnologiesMemory Protection TechnologiesSafer E-MailSafer BrowsingWindows Installer 3.0Network Protection TechnologiesAlerter & Messenger GONE! (Okay, disab

50、led)Universal Plug & Play also disabled by defaultBluetooth network stack included by defaultDisabled unless WHQL Bluetooth device is presentNetwork Protection TechnologiesDCOM Locked down by default!Previously, no way for administrators to enforce machine-wide access policy for all DCOM application

51、sXP has over 150 DCOM servers OOB!Many DCOM applications have weak “Launch” and “Access” permissions that allow anonymous remote activation / access!Administrators had no way to centrally manage / override these settings!Network Protection TechnologiesDCOM Solution: Machine-wide access check perform

52、ed before any server-specific access checks are performed.Starting with XP SP2, only administrators can remotely launch / activate DCOM servers!Everyone is granted local launch, activation and call permissionsNetwork Protection TechnologiesRPC Locked down by default (RPC Interface Restriction)Previo

53、usly RPC interfaces were wide open for anonymous accessSP2 adds RestrictRemoteClients setting and enables it by defaultRequires all remote RPC clients to authenticateThe EPM now requires AuthNMust set EnableAuthEpResolution to 1 on clients to get the EPM working again.Network Protection Technologies

54、Windows Firewall (the software formerly known as ICF)Boot time securityOn by default for all interfaces, global configuration (all interfaces can share same configuration)Local subnet restrictionCommand line support (via netsh) for scriptomatic configuration (think logon scripts)“On with no exceptio

55、ns”Exception ListMultiple ProfilesRPC SupportRestore DefaultsUnattended Setup for OEMsMulticast / Broadcast supportNew and improved Group Policy configuration (via System.adm)Memory Protection TechnologiesIntroducing Data Execution Protection (NX)Buffer overflows usually place shellcode on the stack

56、 or in the heap and cause execution to jump to this locationNX marks areas of the stack / heap as non-executable preventing this mal-code from runningUsermode apps that attempt to run code will AVKernelmode drivers that attempt to run code will bluescreenSupported on AMD64, IA64 and forthcoming x64

57、Intel CPUs for both 32bit and 64bit Windows XPMemory Protection Technologies/GSStack based buffer overflow protectionPlaces canary value on the stack before / after stack allocationsValue is checked when values are read from the stack to make sure the stack hasnt been overwrittenIf canary value has

58、changed, process crashes vs. allowing code to executeSafer E-MailOutlook Express will read all e-mail as plain-text by defaultBlocks HTML e-mail exploits“Dont download external HTML contentIf you chose to render HTML e-mail, external HTML is not rendered / downloadedBlocks “web bugs” etc.AES API (At

59、tachment Execution Service)Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc)Safer BrowsingInternet ExplorerAdd-On Management / Crash ProtectionBinary Behaviors locked down nowOption appears in each zone for configuringBindToObject mitigationActiveX secu

60、rity model now applied to URL bindingMicrosoft Java VM can be disabled per zoneLocal Machine Zone lockdownAll local files / content processed by IE run in LMZNo ActiveX objects allowedScripts set to PromptBinary Behaviors disallowedNo Java!Safer BrowsingInternet ExplorerImproved MIME handling4 diffe