Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

PublishEvan Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc."— Presentation transcript:

1 Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

2 Agenda 1.Was the FBI Right? 2.Too Trusting? 3.EFS/ XP/W2K Issues 4.Anonymous Access Exposes Data 5.Preventing Unauthorized Access 6.NTFS Inheritance 7.Don’t Give Permissions to User Accounts 8.So many security settings to configure! 9.So many boxes to secure 10.Too Many Administrators 11. Patching Mania 12. Weak Passwords

3 1. Was the FBI Right? Universal Plug-and-Play standard Feature of XP – unfortunately flawed Security Bulletin MS01-59 Q article - Q315056

4 What’s the Fuss? Buffer overrun – attacker controls system Endless download cycle (DoS) possible if maliciously configured device host Flooding of third party server (DoS) with bogus requests

5 Patch Available Windows XP and Windows 98 Or Disable SSDP Discovery Service

6 Configuration to Limit Exposure – Q315056 Regulate device download based on scope Regulate device description download based on Router Hops Port restrictions Delay Mechanisms

7 2. Too Trusting Security Bulletin MS02-001 - Using SID Filtering to Prevent Elevation of Privilege Attacks An Administrator of one domain could obtain administrative rights in another

8 Domain Trust Relationships W2K NT trusted trusting

9 To exploit you’d have to: Be Domain Administrator in the trusted domain NT: develop and install custom operating system components W2K: binary edit of data structures that hold SIDHistory mechanism

10 Protecting Security Boundaries No trust NT style trust between domains in separate forest – SID Filtering Kerberos style trust between domains in forest NO!!!!!! Do not apply Sid Filtering Vet, Hire and Audit Trustworthy admins

11 3. EFS/XP/W2K EFS algorithms Is Data Loss Possible? Storage Issues XP specific issues Best Practice

12 Excellent Encryption Product Symmetric and Asymmetric Encryption W2K – File recovery.NET – File or key recovery

13 Is Data Loss Possible? Very possible to lose data Disable EFS Implement PKI Deploy EFS

14 Storage Issues Network Storage W2K Not encrypted during transport – use IPSec XP use Web Folders – files remain encrypted Copy to FAT – decrypted W2K/XP backup preserves encryption

15 XP Specific Issues Sharing encrypted files may be dangerous Administrative password reset uncouples certificate from user account

16 4. Anonymous Access Exposes Data Anonymous access is accomplished via null domain name, account password Necessary for some applications/services

17 5. Preventing Unauthorized Access Windows 2000/XP in domain – Kerberos Compatibility dilemma NT – NTLM Win9x – LM NTLMv2 advantage Prevents sending of LM password hash Available NT, Win9x with AD client installed Registry entry to prevent storage LM password hash

18

19 6. NTFS Permissions Inheritance Windows NT - can be cascaded to any level! Windows 2000 - can be blocked at subfolder level. Windows XP unlike W2K – can apply defaults to upgrade.

20

21 7. Don’t Give Permissions to User Accounts Add user accounts to Global Groups Add Global Groups to local Groups Assign permissions to local groups W2K native mode use Universal Groups Promotes ease of administration, assurance of access removal, clear audit path Best Practice

22 8. So Many Security Settings to Configure Tool

23 9. So Many Boxes to Secure Develop baselines for classes of boxes Create baseline security templates Apply Security Configuration and Analysis Group Policy Use to audit system compliance with policy Key Feature

24 10. Too Many Administrators Use Default Groups Server/account/print operator Power User Create groups and assign rights and permissions Question and evaluate any request for administrative status Window 2000 – Use delegation of authority

25 11. Patching Mania Everyone says to patch your system ????? Windows Update – single systems Windows Corporate Update Site http://corporate.windowsupdate.microsoft.com Qchain

26 12. Weak Passwords Many attacks require authenticated access Default Password policy is weak Users need training in creating strong passwords Consider alternatives – Biometrics; Smart cards

27 What is Microsoft Doing? Trustworthy Computing? Bill Gates speech on trustworthy computing. Month long no-new-code sabbatical. Can perfect code be produced? What will it cost? What’s the track record, really?

28 Stats (www.securityfocus.com) Most vulnerabilities: Mandrake Soft Linux with 34 2nd, 3rd, 4th place - three other versions of Linux 5 th Windows 2000, 2 versions of Solaris tied with 24 each

29 www.securityfocuswww.securityfocus stats

30 Call to Action! Patch and/or Disable UPnP Understand the Meaning of Trust Disable EFS until PKI Restrict Anonymous Access Force NTMv2 where Kerberos won’t prevail Protect Key NTFS Permissions AGLP Create Security Baselines Use Group Policy Delegate Authority Patch Use strong authentication Checklist (hold Bill’s feet to the fire)

31 Questions? Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

Download ppt "Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc."

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.

Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google