osp201 security and complexity are often inversely proportional. security and usability are often...
TRANSCRIPT
![Page 1: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/1.jpg)
![Page 2: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/2.jpg)
The Ten Immutable Laws of Microsoft SharePoint Security
Rick TaylorSenior Technical ArchitectPERFICIENT
OSP201
![Page 3: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/3.jpg)
Who Am I?
Who am I???
The Guardian of Lost SoulsThe PowerfulThe Pleasurable
The IndestructibleRick Taylor
Slick Rick – if you’re nasty
![Page 4: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/4.jpg)
Agenda
The OSI ModelAttack SurfacesBest Practices at securing each layer
![Page 5: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/5.jpg)
What’s the point?
Security is more than just AuthN/AuthZSecurity is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )In Security, the WHY is more important than the HOW
![Page 6: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/6.jpg)
A Word about Security• Security and complexity are often inversely proportional. • Security and usability are often inversely proportional. • Security is an investment, not an expense. • "Good enough" security now, is better than "perfect" security ...never• There is no such thing as "complete security" in a usable system. • A false sense of security is worse than a true sense of insecurity. • Your absolute security is only as strong as your weakest link. • Concentrate on known, probable threats. • Security is directly related to the education and ethics of your users. • Security is not a static end state, it is an interactive process. • There are few forces in the universe stronger than the desire of an individual to get his or
her job accomplished. • You only get to pick two: fast, secure, cheap.• In the absence of other factors, always use the most secure options available. • Security ultimately relies - and fails - on the degree to which you are thorough. People don't
like to be thorough. It gets in the way of being done.
![Page 7: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/7.jpg)
What is the OSI Model?
![Page 8: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/8.jpg)
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
![Page 9: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/9.jpg)
What is Layer 1
Defines electrical and physical specifications Defines relationship between a device and its medium (Copper,
optical, radio, etc)
![Page 10: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/10.jpg)
Layer 1 Attack Surfaces
The mediumCableAir
The hostVia KeyboardVia conduit (RDP host)
![Page 11: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/11.jpg)
Securing Layer 1 - continued
LocksCages
![Page 12: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/12.jpg)
LAW #2 - If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
![Page 13: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/13.jpg)
What is Layer 2?
SublayersMedia Access Control (MAC)Logical Link Control (LLC)Application Protocol Convergence (APC)
ProtocolsARPPPP
How data is transferred from node to node across a network.
![Page 14: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/14.jpg)
Layer 2 Attack Surfaces
Wireless Access PointsWardriving
HubsBroadcasting (rare)
Switches (ARP)Man-in-the-Middle Attacks
![Page 15: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/15.jpg)
Securing Layer 2
Wireless Networks Sniffers ARP flooding
![Page 16: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/16.jpg)
Securing Layer 2 - continued
Strong passwords on wireless routersStrong encryption on wireless networksUse ARP Defense software/hardwareUse DHCP Snooping
Track the physical location of hosts.Ensure that hosts only use the IP addresses assigned to them.Ensure that only authorized DHCP servers are accessible.
![Page 17: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/17.jpg)
Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone
![Page 18: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/18.jpg)
What is Layer 3?
Performs network routing functions3 sublayers:
Subnetwork AccessSubnetwork Dependent ConvergenceSubnetwork Independent Convergence
ProtocolsIP
ServicesICMP
![Page 19: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/19.jpg)
Layer 3 Attack Surfaces
Unused Open PortsCommonly Open PortsPacket inspection
![Page 20: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/20.jpg)
Enumerating Shares
![Page 21: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/21.jpg)
Enabling IPSec via GPO
![Page 22: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/22.jpg)
Benefits of IPsec
IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured networkIPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network
• IPsec has two goals: to protect IP packets and to defend against network attacks
• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other
• IPsec secures network traffic by using encryption and data signing
• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated
![Page 23: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/23.jpg)
Securing Layer 3
Prevent ICMP abuseDDoSAdd “no ip directed-broadcast” to the router (Smurf bounce)Drop (disable) ICMP - *maybe* to prevent malware from “Phoning Home”
Use IPSecUse Network Policy Processing
![Page 24: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/24.jpg)
Network Policy Processing
Are there policies to process?
START
Does connection attempt match policy conditions?
Yes
Reject connection attempt
Is the remote access permission for the user account set to Deny Access?
Is the remote access permission for the user account set to Allow Access?
Yes
Yes
NoGo to next policy
No
Yes
Is the remote access permission on the policy set to Deny remote access permission?
Does the connection attempt match the user object and profile settings?
No
Yes
Accept connection attempt
Reject connection attempt
No
Yes
No
No
![Page 25: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/25.jpg)
Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore
![Page 26: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/26.jpg)
What is Layer 4?
Responsible for reliable communication between endpointsProtocols
Connection-OrientedTCP
ConnectionlessUDP
![Page 27: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/27.jpg)
Layer 4 Attack Surfaces
The operating system (OS Fingerprinting)
![Page 28: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/28.jpg)
Securing Layer 4
Use routers between network segmentsUse private IP addresses on internal networkUse SSLPEN test your networkEnable “Fingerprint Scrubbing” on routers
![Page 29: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/29.jpg)
Securing Layer 4 - continued
Alter the OS kernelChange the default IP time-to-liveChange the initial TCP window size
Modify network-related registry entries
![Page 30: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/30.jpg)
Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more
![Page 31: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/31.jpg)
What is Layer 5?
Responsible for connections between hostsEstablish, Manage, TerminationCheckpointing
ProtocolsRemote Procedure Calls (RPC)
![Page 32: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/32.jpg)
Layer 5 Attack Surfaces
Session hijackingDNS PoisoningDDoS
![Page 33: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/33.jpg)
Quick Test
Step 1 Browse to http://bad.ketil.froyn.name/Step 2 Browse to http://www.example.comIf you see a link to RFC 2606 you are safe.If you see a page saying POISONED…update your resume…jk
![Page 34: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/34.jpg)
Securing Layer 5
Choose your authentication protocols wiselyLess secure protocols maybe be tunneled through more secure protocols
Configure DNS correctlySpecify IP address of authorized DNS servers
![Page 35: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/35.jpg)
What is Layer 6?
Presentation = TranslationResponsible for representing data in different formatsResponsible for serialization of objects to and from XML
![Page 36: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/36.jpg)
Layer 6 Attack Surfaces
NetBIOSSMBIPC$
![Page 37: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/37.jpg)
Securing Layer 6
Lock down Null Session capabilityFor Clients:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous0 – Default setting.1 – Null session can not be used to enumerate shares or user names
For ServersHKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous0 – Default setting. Null sessions can be used to enumerate shares1 – Null sessions can not be used to enumerate shares
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM0 – Null sessions can enumerate user names1 – Default setting. Null sessions can not enumerate user names
![Page 38: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/38.jpg)
Law #6: Absolute anonymity isn't practical, in real life or on the Web
![Page 39: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/39.jpg)
What is Layer 7?
Top layer of OSI modelInterfaces directly with applications and their processes.Most of us focus primarily (if not exclusively) at this layer
![Page 40: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/40.jpg)
Layer 7 Attack Surfaces
DNSFTPSMTPTelnetSQLEtc, etc, etc
![Page 41: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/41.jpg)
Securing Layer 7
Use GPO policies to block software installationUse GPO policies to prevent misuse of accountsUse NAP to enforce access policiesUse IPSec to secure host to host and host to server communicationsFollow Best Practices for securing service accounts
![Page 42: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/42.jpg)
Law #7: Weak passwords trump strong security
![Page 43: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/43.jpg)
Law #8: A computer is only as secure as the administrator is trustworthy
Service AccountsFarmSetupApplication PoolSQL
![Page 44: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/44.jpg)
SharePoint Service Accounts
SQL Server Service AccountSharePoint Setup User AccountSharePoint Farm Service Account
![Page 45: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/45.jpg)
SharePoint Service Accounts
Fewest is bestLeast Privilege is bestSome rights will change (and not all are “Service” accounts)
![Page 46: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/46.jpg)
Law #9: Your infrastructure is as strong as your weakest link
![Page 47: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/47.jpg)
Law #10: Technology is not a panacea
![Page 48: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/48.jpg)
10 Immutable Laws of Security
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyoneLaw #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the WebLaw #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest linkLaw #10: Technology is not a panacea
![Page 49: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/49.jpg)
Thank you for attending!
Please be sure to fill out your session evaluation!
![Page 50: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/50.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 51: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/51.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 52: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/52.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 53: OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,](https://reader034.vdocuments.us/reader034/viewer/2022042608/56649e425503460f94b357b9/html5/thumbnails/53.jpg)