Identity Management and Security Summit – Partner Technical Session

Identity Management and Security Summit - Partner Technical Session Jamie Sharp CISSP Microsoft Consulting [email protected]

Agenda - MS QuickStart for Operating Secure Servers Service Overview Deliverables and Resources Goals of the engagement Key concepts to communicate to the customer

Fixed-price Service Sold as 2 weeks. Partner sets price. 96 hours delivery consultant(s) 2 weeks (80hrs) plus 2 days for auxiliary expert, research, etc. 32 hours QA delivered by Microsoft expert (fee for QA & IP license) Engagement is simply “fixed price” to the customer, do not discuss specific hours.

Target Customers In it’s “pure” form, the target is the mid-size corporation 500-10,000 seats. Larger customers can be accommodated Invested in Windows 2000: Some value to NT 4 customer but the prescriptive guidance assumes Windows 2000. Looking to understand their current exposure and what is possible to achieve.

Consultant Requirements MCSE (Active Directory Architect) CISSP or equivalent cert/experience ITIL Foundations or MOF Essentials Comfortable in a Project Lead Role MS QuickStart trained Comfortable in presenting and leading design sessions

Project Schedule Week #1 Brief Security Intro Assessment Week #2 Brief Operations Overview Operations Workshop Prescriptive Configuration Guidance and Design

Consultant Resources Presentations Security Intro Operations Overview Delivery Guide Security Operations Guide Worksheet Consultant Guide for SOG Worksheet

Consultant Deliverables Resource Planning Guide Assessment Known vulnerability spreadsheet Baseline Security analyzer Assessment report template Configuration Guidance Security Operations Guide Windows 2000 Server Microsoft Operations Framework Core Documents Security Operations Guide Worksheet

Tools Used Microsoft Baseline Security Analyzer HFNetChk Group policies and security templates IIS Lockdown and URLScan EventCombMT DCDiag, NetDiag, NSLookUp, RepAdmin, GPResult, GPOTool, etc.

Techniques Used Thread modeling: S.T.R.I.D.E. Risk management Change, Configuration and Release management Maintaining hotfixes & service packs Ongoing monitoring and assessment Incident response

Engagement Goals Get secure: Security assessment Application of current OS updates Host configuration best practices Stay secure: Operational best practices Leverage Active Directory to implement management of servers by roll using organizational units, group policies, and delegation of administration Identify update procedures to keep patches up to date Use auxiliary tools like URLScan to help protect IIS servers from yet-to-be discovered

Engagement Goals Just an assessment, even a full assessment would NOT be enough. A “Plan to Operate Securely”, turns the findings in the assessment into manageable configuration and operations tasks and gets them moving in a positive direction. Without the Assessment, the “Plan to Operate Securely” may not have the weight/backing it needs. Both are needed!

Why is the Engagement so Short? We’re going for quick results, results that can be demonstrated for the client. Follow-on work will be necessary, this engagement is only the start. Assessment gives justification for the effort of the follow-on work and the best practices show that it is a doable effort.

Summary Microsoft QuickStart Service is a complete packaged service Use the resources provided to you Manage to the time allowed Avoid scope creep The Assessment and the Planning do not create an endpoint, it is a quick start

2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Agenda Understanding Security Current Situation Solution Components Roadmap Wireless VPN Perimeter

Understanding Security

Understanding Security Risk Management Resources Threats Vulnerabilities Exploits Countermeasures

Defence in Depth Assume prior layers fail Perimeter Defenses Network Defenses Host Defenses Application Defenses Data Defenses Physical Security Policies and Procedures

Principle of Least Privilege Any administrator, user, service etc. that needs to perform a task, should only be granted the minimum rights and permissions necessary to perform that task.

Threat Modeling You cannot build secure infrastructure or applications unless you understand the associated threats.

Security Challenges Te ch no l og y s es oc Pr Products lack security features Products have bugs Many issues are not addressed by technical standards Too hard to stay up-to-date People Lack of knowledge Lack of commitment Human error Design for security Roles & responsibilities Audit, track, follow-up Response plans Stay up-to-date with security development

Current Situation

Current Situation Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient Days between patch and exploit 331 180 151 25 Nim Sla SQL da mm er Security is our #1 Priority There is no silver bullet Change requires innovation We Bla l ste c Na hia r ch / i

Customer Feedback You’ve Told Us Our Action Items “The quality of the patching process is low and inconsistent” Improve the Patching Experience “I need to know the right way to run a Microsoft enterprise” Provide Guidance and Training “I can’t keep up new patches are released every week” “There are still too many vulnerabilities in your products” Mitigate Vulnerabilities Without Patches Continue Improving Quality

Addressing The Situation Security and Patch Management Priority #1 at Microsoft Comprehensive tactical and strategic approach to addressing the situation Trustworthy Computing Initiative SD3 C Security framework Patch Management Initiative

Patch Management Initiative Progress to Date Informed & Prepared Customers Consistent & Superior Update Experience Superior Patch Quality Best Patch & Update Management Solutions Rationalized Rationalized patch patch severity severity rating rating levels levels Better Better security security bulletins bulletins and and KB KB articles articles Security Security Readiness Readiness Kit; Kit; Patch Patch Management Management guidance, guidance, etc. etc. Standardized patch Standardized patch and and update update terminology terminology Standardized Standardized patch patch naming naming and and installer installer switch switch options* options* Installer Installer consolidation consolidation plan plan in in place place –– will will go go from from 8 8 to to 2 2 Reduced Reduced patch patch release release frequency frequency from from 1/week 1/week to to 1/month 1/month Improved Improved patch patch testing testing process process and and coverage coverage Expanded Expanded test test process process to to include include customers customers Reduced Reduced reboots reboots by by 10%; 10%; reduced reduced patch patch size size by by up up to to 75%** 75%** Developed Developed Patch Patch & & Update Update Management Management tools tools roadmap roadmap SUS SUS 2.0 2.0 in in development: development: significantly significantly enhanced enhanced capabilities capabilities SMS SMS 2003 2003 delivers delivers expanded expanded patch patch and and update update management capabilities management capabilities More on the Patch Management Initiative in the Roadmap Section of this presentation *Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0 **75% for Windows Update installs, more than 25% for other patches

Solution Components

Successful Patch Management Trained People Tools & Technologies Repeatable Processes

Patch Management Process 1. Assess Environment to be Patched 2. Identify New Patches Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system) Ongoing Tasks A. Discover Assets B. Inventory Clients 1. Assess 2. Identify 4. Deploy 3. Evaluate 4. Deploy the Patch 3. Evaluate & Plan Patch Deployment Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing

Patch Management Guidance Prescriptive guidance from Microsoft for effective patch management Uses Microsoft Operations Framework (MOF) Based on ITIL* (defacto standard for IT best practices) Details requirements for effective patch management: Technical & operational pre-requisites Operational processes & how technology supports them Daily, weekly, monthly & as-needed tasks to be performed Testing options Three patch management guidance offerings *Information Technology Infrastructure Library **Emphasizes security patching & overall management Microsoft Guidesecurity to Security Patch Management ** ***Comprehensive coverage of patch management using the specified technology

MBSA Helps identify vulnerable Windows systems Scans for missing security patches and common security mis-configurations Scans various versions of Windows and other Microsoft applications New Update Assess Identify Evaluate & Plan Deploy Scans local or multiple remote systems via GUI or command line invocation Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 and Windows XP Integrates with SUS & SMS

Software Update Services Deploys Windows security patches, security rollups, critical updates*, and service packs only Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only New Update Assess Identify Evaluate & Plan Deploy Provides patch download, deployment, and installation configuration options Bandwidth optimized content deployment Provides central administrative control over which patches can be installed from Windows Update Provides basic patch installation *Including critical driver updates status logging

SMS 2003 Identifies & deploys missing Windows and Office security patches on target systems Can deploy any patch, update, or application in Windows environments Inventory management & inventory based targeting of software installs New Update Install verification and detailed reporting Assess Flexible scheduling of content sync & installs Identify Evaluate & Plan Deploy Central, full administrative control over installs Bandwidth optimized content distribution

Choosing A Patch Management Solution Typical Customer Decisions Custom er Type Large or Medium Enterpri se Small Business Scenario Custom er Choose s Want single flexible patch management solution with extended level of control to patch & update ( distribute) all software SMS Want patch management solution with basic level of control that updates Windows 2000 and newer versions* of Windows** SUS Have at least 1 Windows server and 1 IT administrator** SUS All other scenarios Window s Update Window s Update Adopt solution that best meets the Consum the All scenarios er needs of your organisation dows 2000, Windows XP, Windows Server 2003 tomer uses Windows Update or manual process for other OS versions & applications software stomer

Roadmap

Informed & Prepared Customers New Security & Patch Management workshops Regular web casts on security patch management* Updated roadmap, whitepapers, and guidance Q4 ‘02 Q1 ‘03 Improved KB Articles Security Bulletin Teleconfere nces Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Patch Management Guides GTM Partnership Bulletin Deliverables Search Page Q2 ‘04 Revised Patch Management Guides Informed and Prepared Customers Clearer Severity Rating Patch Levels Management Guides Security Readiness Kit (Guides, Tools, Best Practices) Patch Management Roadmap Sustaining Engineering Practices White Patch Paper Management White Paper e http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts Q3 ‘04

Consistent & Superior Update Experience Q1 ‘03 Q2 ‘03 Standard installer switches Standard defined naming and signing Q3 ‘03 Q4 ‘03 Q1 ‘04 Add/Remove Program Improvements Standard terminology for documentation Q2 ‘04 MSI 3.0 Q3 ‘04 Q4 ‘04 Standard Detection Manifest 2 Installers: MSI, Update.exe Consistent & Superior Update Experience Patches & Security Bulletins released once a month Standard Titles* Standard Registry Entries Standard Property Sheet MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004 Converge to two installers – Q4 2004 Monthly patch delivery for non-emergency patches - Today dd/Remove Programs, Windows Update, and Download Center

Superior Patch Quality Up to 75% reduction in patch size* 10% reduction in patch reboots Patch test process extended to include customers Q4 ‘02 Q1 ‘03 Q2 ‘03 25% Reduction in Patch Size Q3 ‘03 Q4 ‘03 Q1 ‘04 75% Reduction in Patch Size* Q2 ‘04 Q3 ‘04 90% Reduction in Patch Size Superior Patch Quality 10% Reduction in Patch Reboots Patch test process includes participating customers ndows Update installs, more than 25% reduction for other patches indows Server 2003 patches 30% Reduction in Patch Reboots**

MBSA Overall direction MBSA update scanning functionality integrated into Windows patch management functionality MBSA becomes Windows assessment & mitigation engine Near- and Intermediate-term plans MBSA 1.2 (Q4 2003) Improves report consistency, product coverage, and locale support Integrates Office Update Inventory Tool MBSA 2.0 (Q2 2004) Update scanning functionality migrates to SUS 2.0 / Microsoft Update MBSA leverages SUS 2.0 for update scanning

SUS 2.0 Support for additional Microsoft products Administrative control Deployment & targeting Bandwidth efficiency Scale out Status reporting

Patch Management Functionality Future Direction Longer-term (Longhorn time frame) SUS functionality integrated into Windows SUS supports updating of all Microsoft software SUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software SMS patch management built on SUS infrastructure and delivers advanced patch management functionality Near-term SUS 2.0 (Spring 2004) Single infrastructure for patch management Support for additional Microsoft products Significant improvements in patch management functionality SMS 2003 Update Management Feature Pack (H2 2004) Leverages SUS for update scanning & download

Wireless

Current Situation Huge fear of wireless Rooted in misunderstandings of security Wireless can be made secure Takes work Need to understand problem Need to plan for secure solution

WEP Issues Key and initialisation vector reuse Known plaintext attack Partial known plaintext attack Weaknesses in RC4 key scheduling algorithm Authentication forging Realtime decryption More Information http://www.isaac.cs.berkeley.edu/isaac/wep-faq.ht ml WEP - Wired Equivalent Privacy

Solution Today - 802.1X Port-based access control mechanism defined by IEEE Works on anything, wired and wireless Access point must support 802.1X No special WIC requirements Allows choice of authentication methods using EAP Chosen by peers at authentication time Access point doesn’t care about EAP methods Manages keys automagically No need to preprogram WICs

Solution Today - EAP Link-layer security framework Simple encapsulation protocol for authentication mechanisms Runs over any link layer, lossy or lossless No built-in security Doesn’t assume physically secure link Authentication methods must incorporate their own security

AuthN Supported in Windows EAP-MD5 disallowed for wireless Can’t create encrypted session between supplicant and authenticator Would transfer password hashes in the clear Cannot perform mutual authentication Vulnerable to man-in-the-middle attacks EAP-TLS in Windows XP release Requires client certificates Best to have machine and user Service pack 1 adds protected EAP (PEAP)

Protected EAP (PEAP) Extension to EAP Allows use of any secure authentication mechanism for EAP No need to write individual EAP-enabled methods Windows PEAP allows: MS-CHAPv2—passwords TLS (SSL channel)—certificates PEAP-EAP-TLS a little slower than EAP-TLS SecurID—but not tested/supported for wireless For many deployments, machine and user passwords still are necessary PEAP enables secure wireless now Allows easy migration to certificates and smartcards later

802.1X & EAP Provides Mutual device authentication Workstation and authentication server No rogue access points Prevents man-in-the-middle attacks Ensures key is transferred to correct entity User authentication No unauthorized access or interception WEP key uniqueness and regeneration Packet/disassociation spoofing

WPA - An Interim Until 802.11i Goals Require secure networking Solve WEP issues with software and firmware upgrades Provide secure wireless for SOHO No RADIUS needed Be forward compatible with 802.11i Be available today WPA Wireless Security Update in Windows XP http://support.microsoft.com/?kbid 815485

The Future - 802.11i IEEE is working on 802.11i Replacement for WEP Includes TKIP (Temporal Key Integrity Protocol) , 802.1x, and keyed integrity check Mandatory AES (Advanced Encryption Standard) Addresses all currently known vulnerabilities and poor implementation decisions Need to be IEEE member to read work in progress

VPN

Remote Access Trends Explosive growth of mobile users 63.4M handheld computers to be sold by 2003* Increasing methods of access Application specific access Combined functionality VPN and Firewall combined platforms * Source - (IDC)

VPN Solution Components Corporate Network Clien Protocols Policy ts Domain Controller Mobile Worker Internet Database Server ISP Telecommuter File/Print Server VPN Server Gateway Web Server IAS Server Administrator eployment Tools Authentication Email Server

Windows VPN Components Client Integrated VPN client Gateway Routing and Remote Access Services Protocols Platform Support for Industry Standard Protocols Authentication Policy Deployment Tools Internet Authentication Services & Active Directory Connection Manager Administration Kit Windows XP Windows Server 2003

Windows XP Professional Client Gateway Protocols Authentication Policy Deployment Tools Integrated VPN Client Initiates connection to remote networks. Simplicity New Connections Wizard Automatic protocol detection Security Client state check with “Quarantine” Supports advanced security and encryption Supports certificates, smart cards, token cards and more

Windows Server Gateway Client Gateway Protocols Authentication Policy Deployment Tools Routing and Remote Access Services Link clients to private networks Security Secure remote access connection technology Per session VPN packet filters Performance Offload hardware encryption supported Load Balance support for VPN Manageability Integrated Active Directory authentication Supports standards based Authentication Servers (RADIUS)

Windows XP & Server 2003 Protocols Client Gateway Protocols Authentication Policy Deployment Tools Industry Standard Protocols Specify link capabilities and encrypts data traffic. Security Advanced security with L2TP/IPSec tunneling protocols. PKI authentication support Legacy user authentication support with PPTP Support for Smart Cards with EAP Interoperability IETF standards based solutions Network Transparency Multi-protocol and Multi-cast support

Windows Server Authentication Internet Authentication Services Client Gateway Protocols Authentication Policy Deployment Tools Validates user access to the network Directory Integration Integrates with Active Directory Interoperability Authenticates other 3rd party VPN products that support RADIUS Security Support for “Quarantine” New authentication support Smart Cards, Token Cards, Fingerprint scanners and more

Windows Server Policies Client Gateway Protocols Authentication Policy Deployment Tools AD Group Policy Network policies for users to gain access Security Enforcement of policies to check the state of the client via quarantine service Restricted access based on group membership Manageability Centralized user management with integration of AD and authentication service

Windows Server Deployment Tools Client Gateway Protocols Authentication Policy Deployment Tools Connection Manager Administration Kit Create and manage client connection configurations Central Configuration Create pre-configured dial-up connection software for simplified client experience Extensibility Customizable help files, help-desk numbers, and more Configurable connect actions to launch custom code before or after connection Phonebook Management Automatic phonebook updates for local ISP access numbers

Components of Network Access Quarantine Control hite Paper: Network Access Quarantine Control in Windows Server 2003 tp://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

Perimeter

What is ISA Server? High Performance Web cache Multi-layered firewall Packet Level (static and dynamic filters) Circuit Level (stateful inspection) Application Level (payload inspection) Network Address Translation (NAT) Centralised or Distributed Management ICSA Certified Common Criteria EAL2 Certified

Current Situation Traditional firewalls focus on packet filtering and stateful inspection Today’s attacks freely bypass this Ports are overloaded & can be exploited Port 80 Yesterday—Web browsing only Port 80 Today—Web browsing, OWA, XML Web Services, Packet filtering and stateful inspection are not enough

Application-layer Firewalls are Necessary Application-layer firewalls are required to stop these attacks Enable deep content inspection Requirement for network security today to to internal internal Internet network Packet Packet filtering filtering firewall/router Applicationlayer layer firewall firewall “To provide edge security in this application centric world application-layer firewalls will be required” —John Pescatore,

ISA Deployment Benefits Cost-effective to build, monitor and operate Integrated with Windows security and compatible with non-Windows hosts Saves bandwidth by caching frequently accessed content Provides a firewall engine with application layer inspection Enables QOS, detailed reporting, strong user authentication and high availability

Partner Opportunities Implementing good patch management process Eliminate fear of wireless networks Revisiting corporate remote access strategies Evaluate the security of customer’s DMZ environments Regularly check www.microsoft.com/security

2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.