sec 372 microsoft systems architecture: the secure datacenter design fred baumhardt luis carvalho...
Post on 19-Dec-2015
223 views
TRANSCRIPT
Sec 372
Microsoft Systems Architecture: The Secure Datacenter Design
Fred Baumhardt Luis Carvalho
Microsoft UK Microsoft Portugal
Agenda
Why we are all in a big mess
Brief intro to Trustworthy Computing
Who Hacks you –Where – and Why
Security Mitigation and CountermeasuresStrategic Defence
Defense-in-Depth StrategyPhysical Defenses
Network Defenses
Host/Device Defenses
Data Defenses
Application Defenses
The Datacenter Security Problem
Some Core SystemsSome Core Systems
Internet SystemsInternet Systems
DepartmentsDepartments
ExtranetsExtranets
Branch OfficesBranch Offices
• Systems organically grown under a “Project” contextSystems organically grown under a “Project” context• No clear best practice from vendors – plus vulnerabilitiesNo clear best practice from vendors – plus vulnerabilities• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change in solution Fear of change in solution • The sticky tape thing sort of works – so lets not touch it !The sticky tape thing sort of works – so lets not touch it !
Project 1…n SystemProject 1…n System
..
Internet Security Roots
The Protocol is not designed for Security !!!! The Internet used to require Security clearance to use – physical access was restricted – no need for protocol security
Resistance to Nuclear attack was more important than protecting traffic
Everyone on the network was trusted (and well intentioned)- they will follow port rules- Right??
TCP/IP was thus designed without security in mind – added as a bolt-on
..
Who are the enemies?Answer: *.* - don’t trust anyone
Stats vary - but majority of serious attacks originate internally
Corporate espionage or Inside knowledge
“People playing with stuff they don’t know”
Self-propagating attacks (Slammer, Nimda)
Externally…could be anyone“Script kiddies” armed with widely accessible tools- powerful – simple tools – stupid people
More serious attackers– Corporate espionage, h@ckuRs looking for greetz
HTTP is Safe and Harmless….Right?Most firewalls have closed almost all ports other than TCP80 – which is NOT HTTP
So “Developers” create Web Services, SOAP, SIP, RPC/HTTP, etc to use get around this- for them its called “next generation web services”
Hackers are also developers – they use the same behaviour to perforate security – for them its called “hacking”
..
But Its OK – I got a Firewall…
False – fake – and irrelevant sense of security to people who don’t understand itMost firewalls don’t understand the difference between ports and dataMost firewalls don’t protect internally – conventional wisdom is you don’t have toEnd to End encryption invalidates most Firewalls and IDSDid your firewall stop Nimda – Apache Worm, Sendmail Trojan, Love-Letter.vbs ?
..
Don’t panic – we’re on it
We all have an industry problem – not a vendor specific one
Strategic Defence – Trustworthy Comp.
Technology Defence – SD3+C
People and Process Defence – Microsoft Solutions (MSA- MSS – MSM – MOF )
..
Trustworthy Computing The NO BS Version
How much do you trust your computer ?Not Many people do- so we have to do any and everything until People trust it – earn respect
Cultural change– NOT marketing campaign
People – process – technology
Core TenetsSecurity Reliability
Privacy Business Integrity
TwC - Security Framework
Security commitment and disclosureSecurity commitment and disclosure Active in broad security communityActive in broad security community MS Security Response Center– 3MS Security Response Center– 3rdrdparties parties
Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code
Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege
Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to, architecture guides, MSA Process: How to, architecture guides, MSA People: Training, Culture, SBU, LeadersPeople: Training, Culture, SBU, Leaders
SDSD33 + Communications + Communications
Secure by Secure by DesignDesign
Secure by Secure by DefaultDefault
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
What MSA Addresses
MSA is a solution centred approach to security and infrastructure
MSA can help design and build secure, stable (trustworthy) infrastructures
MSA implements multi-layer – multi-vendor security – with official best practices
MSA reduces your pain in designing and achieving secure, stable solutions
What Ships?Sample BusinessSample Business
RequirementsRequirements
Planning GuidePlanning Guide((Design Choices & howDesign Choices & how
we arrived at them)we arrived at them)for sample instantiationfor sample instantiation
Build GuidesBuild Guides(How-to) for (How-to) for
sample instantiationsample instantiation
Test guides, scripts,Test guides, scripts,and test results for and test results for sample instantiationsample instantiation
SolutionSolutionOperations Guide for Operations Guide for sample instantiationsample instantiation
Since your requirements will be different, your instantiation will be different.
Architectural & ServiceArchitectural & Service “ “Blueprints”Blueprints”
(Planning Information)(Planning Information)
Keys to Architectural Defence
Segmentation of Logical Components in network – by intelligent devices
Encryption only where required – with trusted context
A pro-active/re-active management infrastructure with low latency
Strategic depth-countermeasures covering entire classes of attacks
Heuristical systems like IDS - AV
Security Risk Management Discipline and MSAAssessment
Asset assessment and valuation
Identifying security risks
Analyzing and prioritizing security risks
Security risk tracking, planning, and scheduling
Development and Implementation
Security remediation development
Security remediation testing
Capturing security knowledge
Operate
Reassessing new and changed assets and security risks
Stabilizing and deploying new or changed countermeasures
MSA Defensive Countermeasures
The full MSA is very rich – some highlights will be covered in the following areas:
Security ZonesDefense-in-Depth Strategy
Physical DefensesNetwork DefensesHost/Device DefensesData DefensesApplication Defenses
Security Zones
Tier Restrictions
Intra-zone Tier Communication Restrictions
Inter-zone Communication Restrictions
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Defense In Depth
Ass
ume
Prio
r La
yers
Fai
lIdentify and potentially mitigate risk at all layers
..
MSA Instantiation Guidance Recommendations
Building that equipment is in is access controlledRoom that equipment is in is access controlledRacks that equipment is in are access controlled NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Ass
um
e P
rio
r L
aye
rs F
ailPhysical Defenses
..
Routers only allow necessary inbound ports
Perimeter firewalls maintain stateful tables of connections inbound to permitted hosts/ports, provide reverse and application proxying
Perimeter firewalls allow outbound Internet access originating from only specified servers over specified ports
VPN Servers allow secure encrypted remote access to the data center
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Ass
um
e P
rio
r L
aye
rs F
ail
Perimeter Network Defenses
..
Architecture Can Prevent AttackInternet
Redundant RoutersRedundant Routers
Redundant FirewallsRedundant Firewalls
VLAN
VLANVLAN VLANVLAN VLANVLAN
Redundant Internal FirewallsRedundant Internal FirewallsDNS &DNS & SMTPSMTP Client and Site VPNClient and Site VPN
Infrastructure Network – Internal Active Directory
INTERNAL
Perimeter
INTERNET
BORDER
VLANVLAN VLANVLAN
Messaging Network – Exchange
VLANVLAN
Management Network – MOM, deployment
VLANVLAN
Client Network
VLANVLAN
VLANVLAN VLANVLAN
RADIUS Network Intranet Network - Web Servers
Proxy
Data Network – SQL Server Clusters
Remote datacenter
Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory
VLANVLAN
NIC teams/2 switches
NIC teams/2 switches Intrusion Intrusion DetectionDetection
..
Virtual LANs (VLANs) are used to isolate like services from each other
Switch access control lists (ACLs) are used to control traffic flow between VLANs at Layer 3
Layer 2 VLANs are used where no routing is desired
Internal firewalls control port level access to internal VLANs
Multi-homed DMZ servers…these servers are the only physical connection between the perimeter and internal firewalls
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Ass
um
e P
rio
r L
aye
rs F
ail
Internal Network Defenses
EAP certificate-based authentication
L2TP and PPTP used (PPTP to support older clients)
In MSA 2.0 Windows Server 2003’s NAT-T is utilized for IPSec
EAP certificate-based authentication used
VPN Network Defenses
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
All server except firewall are members of Windows 2000 and Windows Server 2003 Active Directory for centralized security administration and management
Windows 2000 and Windows Server 2003 Security Templates
DNS security
Secured installation of IIS 5 Minimal installation of IIS 6
Host Defenses
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Provides centralized management of servers
Organizational Units (OUs) are created for each server type (i.e., Web servers, SMTP servers, DNS servers, etc.)
Security templates are created for each server type, and imported to GPOs, which are applied to the OUs
IDC 1.5 uses a single AD forest/single AD domain
EDC 1.5 uses a multi-forest AD with no trusts
MSA 2.0 uses a multi-forest AD with a one way cross-forest trust (limited)
Active Directory
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
..
IDC 1.5 ships with security templates that are modified versions of the default Windows 2000 security templates
Primarily self-containedEDC 1.5 ships with modified security templates from the IDC and the Windows 2000 Security Operations Guide
Applied hierarchically, locked down higher in the OU structure, necessary back-offs at lower levels in the structure
MSA 2.0 Ships with modified versions of the Windows Server 2003 Security Guide templates
Applied hierarchically, locked down higher in the OU structure, necessary back-offs at lower levels in the structure
Active Directory Security Templates
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
..
Domain And DC Hardening
Domain and Domain Controller Policies
Domain PolicyPassword and Account Lockout
Audit Policy
Domain Controller Policy
Server Specific OU Lockdown Policies
System Services (Unnecessary Services Are Disabled)
Further Harden TCP/IP Parameters
Implement IPSec Packet Filters
Security OptionsRestrict Anonymous, where possible
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
..
Other Server Hardening
Stay Current on Service Packs and Hotfixes
Hotfixes are a fact of life
Disable NetBIOS on Servers in the DMZ
If using Terminal Services on DMZ servers, secure TS to only the internal interface (if multi-homed)
Secure Local and Domain Accounts
Secure the File System, use NTFS permissions
Remove Default Administrator File Share Access
Secure the Administrator Accounts
Don’t configure Windows Server 2003 Active Directory domains for pre-Windows 2000 compatible access unless necessary
Some applications need it
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
DNS Security
Assessing DNS needsPerimeter server AD DNS lookupsPerimeter server public DNS lookupsInternal server AD DNS lookupsInternal server public DNS lookupsExternal employee/customer lookup of company’s public serversInternal employee lookup of public servers (EDC)
Separate internal AD, perimeter AD, and public DNS zonesSeparate “resolver” and “advertiser” serversPort access controlled for inbound/outbound DNS serversDNS “listens” only on appropriate interfaceZone transfers and forwarders are tightly controlled
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
IIS Hardening
Disable Directory Browsing
Set Appropriate ACLs on Virtual Directories
No sample applications installed
ACL the IIS Log Files and Configure Auditing
Only .htm and .asp processing configured
Disable Parent Paths
Disable system error messages on production servers
URLScan Tool configured
Some of this is by Some of this is by default in IIS 6.0default in IIS 6.0
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Data Defenses - SQLAuthentication – Windows Integrated – Avoid Mixed
Data encryption for mixedusing SSL
Strong password for and limited use of SA account
Validate input at DB – call stored procs not queries
Connection Pooling – perf vs security
SQL should not be visible to normal user VLANs
..
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Data Defenses – Storage
SAN security guidelines
NTFS and Share Permissions
SMB Signing
Avoid usage of LanMan and legacy auth protocols
Separate network segments for internal and perimeter servers
Avoid storing data on external VLANs if possible
Ass
um
e P
rio
r L
aye
rs F
ail
NETWORK DEFENSE
HOST/DEVICE DEFENSE
DATA DEFENSE
APPLICATION DEFENSE
PHYSICAL DEFENSES
Application Defenses
“Application Security Best Practices at Microsoft”www.microsoft.com/technet/itsolutions/msit/security/appsecbp.asp
“Securing Windows 2000 Server” Microsoft Solution for Securing Windows 2000 Server
www.microsoft.com/technet/security/prodtech/windows/secwin2k/
The Security section of the Microsoft Developer Network (MSDN) Web site at the following URL
msdn.microsoft.com/nhp/Default.asp?contentid=28001191&frame=true
“Writing Secure Code”, Michael Howard and David LeBlanc, ISBN 0-7356-1722-8, April 2002, from MSPress; For more information see
www.microsoft.com/mspress/books/5957.asp
“Designing Secure Web-Based Applications for Microsoft Windows 2000” from MSPress by Michael Howard, ISBN 0-7356-0995-0, July 2000, from MSPress; For more information see
www.microsoft.com/mspress/books/4293.asp
“Microsoft Patterns and Practices: Reference Building Blocks” at the following URL
msdn.microsoft.com/practices/type/Blocks/default.asp
Resources
MSA Enterprise DataCenter 1.5
MSA Internet DataCenter 1.5
MSA 2.0 Technical Preview
Available today from http://www.microsoft.com/systemsarchitecture
We welcome your feedback, E-Mail your comments to [email protected]
Available today from MSS:Available today from MSS:Windows Server 2003 Security Guide atWindows Server 2003 Security Guide at http://microsoft.com/downloads/details.aspx?FamilyId=http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89 B655521EA6C7B4DB&displaylang=en8A2643C1-0685-4D89 B655521EA6C7B4DB&displaylang=en
Ask The ExpertsAsk The ExpertsGet Your Questions AnsweredGet Your Questions Answered
Luis and Fred will be available in the ATE area after this session – come talk to us
..
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.