Hey, You! Get Off My Network! (Repeats on 5/19 at 8:30am)

ERDAL OZKAYA Licensed Penetration Tester–MVP-MCT-CEI CEO IT TRAINING erdal@ceotraining.com.au

Elias MerebMVP-MCTemereb@widetechconsulting.com

SIM404

Agenda:

Hack Proof Your Server Demo What is Penetration Testing Demo

Question

Is Security Part of Your Job?

Think Again!!!

Source: Demotivation

To prevent this.!

Best Practices to Keep Your Servers SAFE!

Golden Rule!

There is no way to STOP a Hacker, you can only make their

job HARDER !

Sound familiar ?

Costs too much money!Too complicatedNot worth the bother!!My SIMPLE firewall protects me We have got “A” Solution

1. If Possible Use Windows SERVER 2008 R2 CORE

Windows Server Core is Secure Because

There is no GUI shellReduced maintenanceReduced attack surface areaReduced management Less disk space required to install

2. Use AppLocker

Replaces the Software Restriction Policies feature

AppLocker will reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs

3. Use Biometrics

Server 2008 R2 enables administrators and users to use

Fingerprint biometric devices to log on to computers,Grant elevation privileges through User Account Control (UAC)Perform basic management of the fingerprint devices.Manage fingerprint biometric devices in Group Policy settings by enabling, limiting, or blocking their use

4. Use Smart Cards

Server 08 R2 make smart cards easier to use and to deploy, and makes it possible to use smart cards to complete a greater variety of tasks

5. Use Strong Passwords

Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances

Audit Passwords against English words; (Cain & Abel can do some of it)

Avoid too complex passwords ( for end users)

Train users to avoid simple English words

Remove LM Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at all

6. Use Service Accounts

To enhance security while simplifying or eliminating password and Service Principal Name (SPN) management

1. Managed service accountIs designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the SPNand credentials for these accounts

2. Virtual accounts Are "managed local accounts" that can use a computer's credentials to access network resources

7. User Account Control (UAC)

The access control model changed to help mitigate the impact of a malicious program; When a user attempts to start an administrator task or service, the UAC dialog box asks the user to click either Yes or No before the user's full administrator access token can be used

Changes in Server 08 R2 areIncrease the number of tasks that the standard user can perform that do not prompt for administrator approval

Allow a user with administrator privileges to configure the UAC experience in the Control Panel

Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode

Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users

8. Windows Security Auditing

With Server 08 R2 all auditing capabilities have been integrated with Group Policy

Server R2 increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies

New enhancements areGlobal Object Access Auditing"Reason for access" reportingAdvanced audit policy settings

9. Run Security Configuration Wizard (SCW)

SCW guides you through the process of creating, editing, applying, or rolling back a security policy

SCW benefitsdisables unnecessary servicesdetects role dependenciesIt provides hot links to get online helpCan be deployed via Group Policy

10. Use Windows Firewall

Windows Firewall with Advanced Security is an advanced interface for IT professionals

Windows Firewall with Advanced Security is not for home users

11. Disabling Insecure User Accounts

In Windows 2008 server installation, two accounts are created by default

Administrator and GuestDisable or rename admin account

12. Use BitLocker

BitLocker Drive Encryption allows you toEncrypt all data stored on the Windows operating system volumeconfigured data volumes,by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components

13. Use Windows 2008 R2 NAP

Network Access Protection monitors and assess the ‘health” of hosts in a network to determine their level of compliance to the configured health policy. NAP ensures that vulnerable/infected systems don’t become a launch pad for a more wide spread hacker/malicious code attack

14. Use Microsoft Baseline Security Analyzer

MBSA is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems

http://www.microsoft.com/mbsa

15. Be Aware of Social Engineering

Social Engineering Explored

There is no method to ensure complete security from social engineering attacksIts difficult to detectSecurity policy's are strong as their weakest link, and humans are the most susceptible factorThere is no specific SOFTWARE or HARDWARE to defend against it

What Else Can You Do to Protect Your Servers?

Learn to look for weakness...The old excuse is not an EXCUSE

“It will never happen to meIt’s the way we've always done itIt’s standard practice throughout the company….”

Microsoft Tools to Harden our ServersSecurity Compliance Manager

is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor the security baselines of

computers running Windows Server 2008 in your environment

http://go.microsoft.com/fwlink/?LinkId=182512

Have You Met…

SIR?

Microsoft Security Intelligence Report

The Security Intelligence Report (SIR) is an investigation of the current threat landscape

It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and three Microsoft Security Centers

http://www.microsoft.com/security/sir/

demo

How to harden your servers?

What Is Penetration Testing?

Testing the security of systems and architectures from a hacker’s point of viewA “simulated attack” with a predetermined goal.It is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.It is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.

Why Penetration Testing ?

Identify the threats facing your assets

ROSI

Reduce the IT Security costs & provide a better Return On IT Security Investment (ROSI) by identifying & resolving vulnerabilities and weakness

Comprehensive Assessment

Pen Testing will assure the organization that allPolicyProcedure Design & Implementation has been assets

ISMS PDCA example

Interested Parties

Managed information security

Maintain and Improve the ISMSImplement the

ISMS

Establish an ISMS

Monitor and review the ISMS

Plan

Check

Act Do

Interested Parties

Information security

requirements and expectations

Process Best Practice for legal & industry regulations approach

Gain & maintain certification

Information Security Management Systems Like ISO 27001BS7799 HIPPAA ( Privacy certification for Health Insurance Portability and Accountability )etc.

Evaluate the efficiency of Security Devices

What Should be Tested?

A risk assessment should be conducted to identify main threats, such us:

Communications – E-Commerce & loss of confidential information failure Public facing systems, websites, e-mail gateways & remote platformsMail, DNS, firewall, passwords, FTP, IIS & other web servers

Access Points to Your Network

Internet gatewaysModemsWireless NetworksPhysical entrySocial Engineering

What Makes a Good Penetration Test?

Establish the parameters for the pen-test such us: Objectives ,Limitations & justification of procedures

Choose suitable set of tests that balance cost & benefitsFollowing a methodology with proper planning & documentation Stating all the results clearly in the final report

Penetration Testing Is Not…

An alternative to other IT security measures – it complements other testsExpensive game of Capture the FlagA guarantee of securityIt is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Hacking Methodology (Steps)

Scanning

Footprinting

Enumeration

Gaining Access

Escalating PrivilegePilferting

Covering Tracks

Creating Back Doors

Denial of Service

whois, nslookup

GFILan \nmap

rpcinfo Tcpdump

Johntheripper

Config files, registry rootkits

keystroke loggerremote desktop

Ping of death

Limitations

It’s only valid for the period testedTime to perform

Types of Penetration Testing

External Testing Involves analysis of publicly available information a network enumeration phase, and the behaviour of the security devices analysed

Internal Testing Will be performed from a number of network access points , representing each logical & physical segment

Phases of Pen Testing

Pre- Attack PhaseAttack PhasePost Attack Phase

Pre- Attack PhaseGoals of the attack will be defined

Reconnaissance Refers to phase where attacker gathers as much information as possible (Learn About Target)1. Passive Reconnaissance

Hacker does not interact with the system directlyUse publicly available info

* Social Engineering ,Dumpster Diving2. Active Reconnaissance

Open ports ,Router locations ,Network mapping, Details of O/S & apps

Attack Phase

Penetrate PerimeterAcquire TargetExecute, Implant RetractEscalate Privilege

Penetrating Testing Methodology

Resources used:

www.GFI.comwww.astaro.comEC-Council Licensed Penetration Testerwww.eccouncil.orgwww.optus.comwww.bettertogether.org.au

Recommended Web Sites

www.erdalozkaya.comhttp://www.vulnerabilityassessment.co.uk/http://www.social-engineer.org/http://www.nist.govhttp://dradisframework.org/Your favorite search engine

demo

How to conduct a Pen Test?

Safety and Security Centerhttp://www.microsoft.com/security

Security Development Lifecyclehttp://www.microsoft.com/sdl

Security Intelligence Reporthttp://www.microsoft.com/sir

End to End Trusthttp://www.microsoft.com/endtoendtrust

Trustworthy Computing

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.