sim404. question source: demotivation to prevent this.!
TRANSCRIPT
Hey, You! Get Off My Network! (Repeats on 5/19 at 8:30am)
ERDAL OZKAYA Licensed Penetration Tester–MVP-MCT-CEI CEO IT TRAINING [email protected]
Elias [email protected]
SIM404
Agenda:
Hack Proof Your Server Demo What is Penetration Testing Demo
Question
Is Security Part of Your Job?
Think Again!!!
Source: Demotivation
To prevent this.!
Best Practices to Keep Your Servers SAFE!
Golden Rule!
There is no way to STOP a Hacker, you can only make their
job HARDER !
Sound familiar ?
Costs too much money!Too complicatedNot worth the bother!!My SIMPLE firewall protects me We have got “A” Solution
1. If Possible Use Windows SERVER 2008 R2 CORE
Windows Server Core is Secure Because
There is no GUI shellReduced maintenanceReduced attack surface areaReduced management Less disk space required to install
2. Use AppLocker
Replaces the Software Restriction Policies feature
AppLocker will reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs
3. Use Biometrics
Server 2008 R2 enables administrators and users to use
Fingerprint biometric devices to log on to computers,Grant elevation privileges through User Account Control (UAC)Perform basic management of the fingerprint devices.Manage fingerprint biometric devices in Group Policy settings by enabling, limiting, or blocking their use
4. Use Smart Cards
Server 08 R2 make smart cards easier to use and to deploy, and makes it possible to use smart cards to complete a greater variety of tasks
5. Use Strong Passwords
Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances
Audit Passwords against English words; (Cain & Abel can do some of it)
Avoid too complex passwords ( for end users)
Train users to avoid simple English words
Remove LM Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at all
6. Use Service Accounts
To enhance security while simplifying or eliminating password and Service Principal Name (SPN) management
1. Managed service accountIs designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the SPNand credentials for these accounts
2. Virtual accounts Are "managed local accounts" that can use a computer's credentials to access network resources
7. User Account Control (UAC)
The access control model changed to help mitigate the impact of a malicious program; When a user attempts to start an administrator task or service, the UAC dialog box asks the user to click either Yes or No before the user's full administrator access token can be used
Changes in Server 08 R2 areIncrease the number of tasks that the standard user can perform that do not prompt for administrator approval
Allow a user with administrator privileges to configure the UAC experience in the Control Panel
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users
8. Windows Security Auditing
With Server 08 R2 all auditing capabilities have been integrated with Group Policy
Server R2 increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies
New enhancements areGlobal Object Access Auditing"Reason for access" reportingAdvanced audit policy settings
9. Run Security Configuration Wizard (SCW)
SCW guides you through the process of creating, editing, applying, or rolling back a security policy
SCW benefitsdisables unnecessary servicesdetects role dependenciesIt provides hot links to get online helpCan be deployed via Group Policy
10. Use Windows Firewall
Windows Firewall with Advanced Security is an advanced interface for IT professionals
Windows Firewall with Advanced Security is not for home users
11. Disabling Insecure User Accounts
In Windows 2008 server installation, two accounts are created by default
Administrator and GuestDisable or rename admin account
12. Use BitLocker
BitLocker Drive Encryption allows you toEncrypt all data stored on the Windows operating system volumeconfigured data volumes,by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components
13. Use Windows 2008 R2 NAP
Network Access Protection monitors and assess the ‘health” of hosts in a network to determine their level of compliance to the configured health policy. NAP ensures that vulnerable/infected systems don’t become a launch pad for a more wide spread hacker/malicious code attack
14. Use Microsoft Baseline Security Analyzer
MBSA is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems
http://www.microsoft.com/mbsa
15. Be Aware of Social Engineering
Social Engineering Explored
There is no method to ensure complete security from social engineering attacksIts difficult to detectSecurity policy's are strong as their weakest link, and humans are the most susceptible factorThere is no specific SOFTWARE or HARDWARE to defend against it
What Else Can You Do to Protect Your Servers?
Learn to look for weakness...The old excuse is not an EXCUSE
“It will never happen to meIt’s the way we've always done itIt’s standard practice throughout the company….”
Microsoft Tools to Harden our ServersSecurity Compliance Manager
is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor the security baselines of
computers running Windows Server 2008 in your environment
http://go.microsoft.com/fwlink/?LinkId=182512
Have You Met…
SIR?
Microsoft Security Intelligence Report
The Security Intelligence Report (SIR) is an investigation of the current threat landscape
It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and three Microsoft Security Centers
http://www.microsoft.com/security/sir/
demo
How to harden your servers?
What Is Penetration Testing?
Testing the security of systems and architectures from a hacker’s point of viewA “simulated attack” with a predetermined goal.It is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.It is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.
Why Penetration Testing ?
Identify the threats facing your assets
ROSI
Reduce the IT Security costs & provide a better Return On IT Security Investment (ROSI) by identifying & resolving vulnerabilities and weakness
Comprehensive Assessment
Pen Testing will assure the organization that allPolicyProcedure Design & Implementation has been assets
ISMS PDCA example
Interested Parties
Managed information security
Maintain and Improve the ISMSImplement the
ISMS
Establish an ISMS
Monitor and review the ISMS
Plan
Check
Act Do
Interested Parties
Information security
requirements and expectations
Process Best Practice for legal & industry regulations approach
Gain & maintain certification
Information Security Management Systems Like ISO 27001BS7799 HIPPAA ( Privacy certification for Health Insurance Portability and Accountability )etc.
Evaluate the efficiency of Security Devices
What Should be Tested?
A risk assessment should be conducted to identify main threats, such us:
Communications – E-Commerce & loss of confidential information failure Public facing systems, websites, e-mail gateways & remote platformsMail, DNS, firewall, passwords, FTP, IIS & other web servers
Access Points to Your Network
Internet gatewaysModemsWireless NetworksPhysical entrySocial Engineering
What Makes a Good Penetration Test?
Establish the parameters for the pen-test such us: Objectives ,Limitations & justification of procedures
Choose suitable set of tests that balance cost & benefitsFollowing a methodology with proper planning & documentation Stating all the results clearly in the final report
Penetration Testing Is Not…
An alternative to other IT security measures – it complements other testsExpensive game of Capture the FlagA guarantee of securityIt is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Hacking Methodology (Steps)
Scanning
Footprinting
Enumeration
Gaining Access
Escalating PrivilegePilferting
Covering Tracks
Creating Back Doors
Denial of Service
whois, nslookup
GFILan \nmap
rpcinfo Tcpdump
Johntheripper
Config files, registry rootkits
keystroke loggerremote desktop
Ping of death
Limitations
It’s only valid for the period testedTime to perform
Types of Penetration Testing
External Testing Involves analysis of publicly available information a network enumeration phase, and the behaviour of the security devices analysed
Internal Testing Will be performed from a number of network access points , representing each logical & physical segment
Phases of Pen Testing
Pre- Attack PhaseAttack PhasePost Attack Phase
Pre- Attack PhaseGoals of the attack will be defined
Reconnaissance Refers to phase where attacker gathers as much information as possible (Learn About Target)1. Passive Reconnaissance
Hacker does not interact with the system directlyUse publicly available info
* Social Engineering ,Dumpster Diving2. Active Reconnaissance
Open ports ,Router locations ,Network mapping, Details of O/S & apps
Attack Phase
Penetrate PerimeterAcquire TargetExecute, Implant RetractEscalate Privilege
Penetrating Testing Methodology
Resources used:
www.GFI.comwww.astaro.comEC-Council Licensed Penetration Testerwww.eccouncil.orgwww.optus.comwww.bettertogether.org.au
Recommended Web Sites
www.erdalozkaya.comhttp://www.vulnerabilityassessment.co.uk/http://www.social-engineer.org/http://www.nist.govhttp://dradisframework.org/Your favorite search engine
demo
How to conduct a Pen Test?
Safety and Security Centerhttp://www.microsoft.com/security
Security Development Lifecyclehttp://www.microsoft.com/sdl
Security Intelligence Reporthttp://www.microsoft.com/sir
End to End Trusthttp://www.microsoft.com/endtoendtrust
Trustworthy Computing
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.