Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike...
-
Upload
timothy-chapman -
Category
Documents
-
view
214 -
download
2
Transcript of Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike...
![Page 1: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/1.jpg)
Sinergija09 :: Akcija!!!
• Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !Kompanija Microsoft Software je u saradnji sa partnerskom firmom Network Security Solutions rešila da pokloni svim zainteresovanim firmama učesnicama Sinergije09, bez obzira na broj prijavljenih posetilaca konferencije, po jednu besplatnu osnovnu procenu bezbednosti web sajta.
• Prijave do 30. Novembra http://www.netsec.rs
![Page 2: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/2.jpg)
Protecting Windows and Web applications
Dejan Levaja, MVP [Enterprise Security]Network Security Solutions
http://www.netsec.rs
![Page 3: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/3.jpg)
Agenda
• Server 2008 Security mehnizmi - podsetnik• IIS 7 security• Patching• Auditing• Scanning and Assessment• Hardening• Security Testing
![Page 4: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/4.jpg)
Security and protection
• Security improvements to the kernel– Kernel patch protection for 64-bit editions – Security improvements to the heap
manager– Security improvements to the registry– Code integrity– Data Execution Prevention– Address Space Layout Randomization– Windows Resource Protection
• Security improvements to Windows services– Windows service hardening– Session 0 isolation– Named pipe hardening
• Windows Integrity Mechanism• Windows Internet Explorer 7/8
– Protected mode– Extended Validation SSL certificates
• Extensible logon architecture• Cryptography Next Generation• Authentication protocol improvements
– Windows implementation of the Kerberos protocol
– TLS/SSL cryptographic enhancements
![Page 5: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/5.jpg)
Threats and vulnerabilities mitigation
• Server role security configuration• Server Core installation option• User Account Control• Web Server (IIS) role• Backup and recovery• Windows Firewall with Advanced Security• Network Policy and Access Services role
– Network Policy Server– Network Access Protection– Routing and Remote Access
![Page 6: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/6.jpg)
Secure configuration assessment and management
• Security auditing• Server security policy management• Security Configuration Wizard• Authorization Manager• Group Policy• Active Directory Domain Services
– Fine-grained password policies– Auditing
![Page 7: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/7.jpg)
Identity and access control
• Smart cards• 802.1X authenticated wired and wireless
access• Backup and restore of stored user names
and passwords• Credential Security Service Provider and
single sign-on for Terminal Services logon• Previous logon information• Access control user interface• TrustedInstaller SID• Restricted SIDs checks• File system namespace modifications• Default permissions changes• Changes to tokens• Integrity levels• Icacls command-line tool• OwnerRights SID
• BitLocker Drive Encryption• Encrypting File System• Active Directory Certificate Services
– Cryptography Next Generation– Online Certificate Status Protocol– Network Device Enrollment Service– Web enrollment– Policy settings– Restricted enrollment agent– Enterprise PKI snap-in
• Active Directory Domain Services• Active Directory Rights Management Service
![Page 8: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/8.jpg)
IIS 7 Security
• Ranjivosti– IIS 7 (2006. – Sinergija09) => 2– Apache 2.2 (2006. – Sinergija09) => 17– IIS 6 (2003. – Sinergija09) => 8– Apache 2.0 (2003. – Sinergija09) => 41
• Authentication• IP and Domain Restriction• URL Authorization• Request Filtering• Certificates
![Page 9: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/9.jpg)
IIS 7 Security - Authentication
• Izmene– IUSR_machine_name => IUSR– IUSR_machine_name postoji samo ako postoji i FTP– IUSR radi u bezbednosnom kontekstu worker procesa (network service)– IUSR nema lozinku– IUSR_WPG => IIS_IUSR– Najvažnije: IUSR i IIS_IUSR su Built-In nalozi –> svuda isti SID -> moguć XCOPY /O
• Authentication– Anonymous– Basic– Windows– Forms– Certificates*– Digest– ASP.NET Impersonation
![Page 10: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/10.jpg)
IIS 7 Security - IP and Domain Restriction
• Ograničenje pristupa po IP adresi • Ograničenje pristupa po imenu domena (zahteva reversni DNS lookup!)
– Demo• Dynamic IP Restrictions Extension (beta)
– http://www.iis.net/extensions/DynamicIPRestrictions
![Page 11: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/11.jpg)
IIS 7 Security - URL Authorization
• NTFS vs URL autorizacija– xcopy /o
• Demo – Scenario
• Isključimo Anon Auth, uključimo Basic• kreiramo grupu• kreiramo korisnike i dodamo ih u grupu• obrišemo defaultni URL Authorization Rule i kreiramo novi
– Sve ovo može i iz CMD-a (appcmd.exe)!
![Page 12: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/12.jpg)
Request Filtering – simple WAF
• URLScan => Request Filtering– Filter Double-Encoded Requests
• ‘\’ => %5c – ‘% ‘=> %25
» %255c• scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ (IIS 5.0)
– Filter High Bit Characters– Filter Based on File Extensions– Filter Based on Request Limits– Filter by Verbs– Filter Based on URL Sequences
• /../ , – Filter Out Hidden Segments
![Page 13: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/13.jpg)
Certificates
• SSL– one to many mapping– one to one mapping– AD mapping– CLR, delta CRL– Next, next, finish
• Demo
![Page 14: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/14.jpg)
Patching
• Windows Update– <= Vista– OS + IE
• Microsoft Update– Windows Update + MS Office + Exchange + SQL + ...– http://www.update.microsoft.com/
• Automatic Update• Patch Tuesday ( and Exploit Wednesday )• Microsoft Catalog
– http://catalog.update.microsoft.com
![Page 15: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/15.jpg)
Patching
• WSUS 3.0– Sastavni deo Servera 2008 (KB 940518)– SUS == OS; WSUS == OS + ostalo– WSUS = IIS 7+ SQL (WID) + Microsoft Update– GPO ili Registry
• GPO => Computer Configuration\Administrative Templates\Windows Components\Windows Upddate\Specify Intranet Microsoft Update Service Location
• Registry => KLM\Software\Policies\Microsoft\Windows\WindowsUpdate\– reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
» /v WUServer /t REG_SZ /d http://wsus.netsec.local» /v WUStatusServer /t REG_SZ /d http://wsus.netsec.local
![Page 16: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/16.jpg)
Auditing
• Auditing in Server 2008– 4GB vs >petabyte– n*1000 evt/sec vs n*10000 evt/sec– granular audit policy (GAP)– GPO (R2), AuditPol.exe
• EventViewer– XML
• eventquery.vbs wevtutil.exe• Demo: Failed logons
– wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text > logon.txt
![Page 17: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/17.jpg)
Scanning
• MBSA– Security Updates, Administrative Vulnerabilities, IIS, SQL, Desktop apps– WSUS i MBSA– GUI, cmd (mbsacli.exe)– Online, Offline– wsusscn2.cab - http://go.microsoft.com/fwlink/?LinkId=76054– Visio Connector (2003,2007)– %userprofile%\SecurityScans– Demo:
• mbsacli.exe /target 192.168.0.10 /u administrator /p P@ssw0rd• mbsacli.exe /n SQL+IIS /catalog c:\wsusscan2.cab /nd
![Page 18: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/18.jpg)
Assessment
• MSAT– MSAT is designed to help you identify and address security risks in your IT environment.– http://technet.microsoft.com/en-us/security/cc185712.aspx
• Preko 200 pitanja baziranih na ISO 27001• Infrastructure, Applications, Operations, People• Demo
![Page 19: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/19.jpg)
Hardening
• Windows Firewall with Advanced Security• IPSec => Server and Domain Isolation
– R2 or not R2 ? – Demo
• Security Configuration Wizard– Demo
![Page 20: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/20.jpg)
Security Testing
• Vulnerability Assessment– popisuje ranjivosti– MBSA, ...
• Penetration Testing– dokazuje da je moguće iskoristiti pronađene ranjivosti– browser + proxy, metasploit, ...
• Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 !• Prijave do 30. Novembra http://www.netsec.rs
![Page 21: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/21.jpg)
Molimo vas da popunite ankete!Please fill out the evaluations!
Vaše mišljenje čini osnovu sledeće Sinergije i
omogućava nam da oblikujemo sadržaj u skladu
sa Vašim željama.
Svi posetioci koji popune ankete ulaze u nagradnu
igru
Your opinion forms the next Sinergija conference, and it provides us with the means to shape its content to best
suit you.
All attendees that fill out the evaluations are taking part in drawing of special prizes
![Page 22: Sinergija09 :: Akcija!!! Besplatno testiranje bezbednosti web sajta za sve firme-učesnike Sinergije09 ! Kompanija Microsoft Software je u saradnji sa partnerskom.](https://reader035.fdocument.pub/reader035/viewer/2022062716/56649ddd5503460f94ad5587/html5/thumbnails/22.jpg)
Hvala!
Microsoft Community Serbiahttp://www.msforge.net