the 5-step security checkup
DESCRIPTION
TRANSCRIPT
The 5-Step Security Checkup for Education
Barbara ChungSecurity Advisor, EducationMicrosoft Corporation
Agenda
Secure Administrative Accounts Implement Zones of Trust Build a Baseline Patch Agile Processes
#1 Secure Administrative Rights
The keys to the kingdom, using them inappropriately can forfeit everything else you do for security– Two general types of problems:
• Attackers who obtain admin credentials
• Users who have been granted admin credentials, but may not understand the implications of using them carelessly or incorrectly
#1 Secure Administrative Rights
Forest is the security boundary, not the domain.
You must trust ALL domain admins Admin accounts not email-enabled, not
used as desktop accounts, use restricted to trusted machines
Administrative Accounts
Administrator Created accounts assigned to admin groups Accounts that use:
– EFS Data Recovery certificates– Enrollment Agent certificates– Key Recovery Agent certificates
Administrative Groups
– …in Builtin container: for example, Account Operators, Server Operators
– …in User container: for example, Domain Admins, Group Policy Creator/Owners
– Anything that you create and assign admin privileges
–
Administrative GroupsDefault Domain Groups
– Enterprise Admins– Domain Admins– Schema Admins– Group Policy Creator Owners– Administrators group– Administrator account– DS Restore Mode Administrator
Admin Account Types
Local admin accounts Domain admin accounts Forest admin accounts
Principle of Least Privilege
Always grant minimum privileges required to complete the current task
Requires some work, but helps to understand your organization
Don’t do it: logging on as Domain Admin to troubleshoot a workstation with suspected security problems
Best Practices Separate domain administrator and enterprise
administrator roles. Separate user and administrator accounts. Use the Secondary Logon service. Run a separate Terminal Services session for
administration. Rename the default Administrator account. Create a decoy Administrator account. Create a secondary Administrator account and
disable the built-in Administrator account.
•Best Practices, cont… Enable Account Lockout for Remote
Administrator Logons. (passprop.exe) Create a strong Administrator password. Automate scanning for weak passwords. Use administrative credentials on trusted
computers only. Audit accounts and passwords on a regular basis. Prohibit account delegation. Control the administrative logon process
References
– The Administrator Accounts Security Planning Guide: http://www.microsoft.com/technet/security/topics/serversecurity/administratoraccounts/default.mspx
The Services and Service Accounts Security Planning Guide http://www.microsoft.com/downloads/details.aspx?familyid=F4069A30-01D7-43E8-8B30-3799DB2D9C2F&displaylang=en
#2 Zoning
The concept is simple: enforce zones of trust on/within the network– Blue Zone………. controlled risk– Orange Zone……. reduced risk– Red Zone……….. High risk
Why?– You’re clear about what you’re going to
manage for security (not EVERYTHING)– Time = Opportunity
#2 Zoning
Firewalls 802.1x: use it to control access to the
wired/wireless network IPSec: control end-to-end communication
Zoning802.1x at the Border Standards-based, services and clients built
into newer versions of Windows, but you can mix-and-match
Components: Authentication directory or directories, RADIUS services, network device (switch, WAP), client software
#2 IPSec
Domain and Server Isolation
Protect trusted assets from unmanaged, rogue and guest PCs
Complement to other security mechanisms (firewall, antivirus, IDS)
Restrict communication to domain-managed computers
IPsec Domain And Server Isolation
Two scenarios– Domain isolation– Server isolation
Protects corporate hosts or servers from unmanaged, rogue, and guest PCs
Allows communication between hosts to be restricted between domain-managed computers
IPsec Domain And Server Isolation (2)
Provides ability to identify and control communications with critical client or server PCs
Complements other host security mechanisms
Complements network access protections
Domain Isolation Allows host to host communication to be
limited to domain members (managed computers)
Requires IPsec authentication and protection for any communication with domain members (managed computers)– Managed computers can initiate
communication with managed and unmanaged computers
– Unmanaged computers cannot initiate communication with managed computers
Scenario: Domain isolation
Common Access Infrastructure
Protected Ring
Quarantine Ring
Boundary Ring
Blocked
Allowed
AllowedAllowedAllowedAllowed
Server Isolation Requires IPsec authentication and
protection for communications from hosts to specific servers– Managed computers can initiate
communication with specific servers– Unmanaged computers cannot initiate
communication with specific servers
Group-specific server isolation– Only managed computers that are members of a
specific security group can initiate communication with specific servers
Scenario: Server Isolation
Protected Machine Group
All Machines
AllowedAllowed
Blocked
Additional resources
Microsoft Windows Server 2003 site at http://www.microsoft.com/ipsec/
“How to isolate servers by using Internet Protocol security” Support WebCast (see Knowledge Base article 889383)
2) Zoning
Won’t protect against trusted users/machines! (See #1: Secure Administrative Privileges
Building a Baseline for Trusted Machines Create visibility for security incidents Automate deployment of lock-down images
with tools like RIS, ADS Use Security Configuration Wizard to
develop role-based templates Use Group Policy to enforce security
settings
Patching
….
Agility
Agile processes are critical to maintaining a secure environment– Who do users notify when there’s a problem?– Who can call a security crisis?– What happens when a crisis is called?– What’s the timeline?– How does you security group interface with
operations group?
Questions?