| @sarnold | i'd like to introduce our next speaker for uninet infosec's conference |
|---|---|
| @sarnold | a reminder that the presentation schedule is here: http://infosec.uninet.edu/infosec2003/english/programa_eng.html |
| @sarnold | if anyone is able to translate from english to spanish, #redes may be interested :) |
| @sarnold | questions and comments should be asked in #qc |
| @sarnold | offtopic is an IT professional from Moscow, Russia |
| @sarnold | he and 3APA3A wanted to give a talk on client-side security issues |
| @sarnold | but 3apa3a is off at another conference, so today we have only offtopic |
| @sarnold | offtopic has been working with security issues for two years, mostly active directory, exchange, and tcp/ip |
| @sarnold | offtopic, start when you're ready :) |
| @offtopic | good day everybody |
| @offtopic | Usually, speaking about network security and Internet attacks one means security of network services and all forces are targeted to secure perimeter of corporate network. |
| @offtopic | But experience of last few years clearly demonstrates that client networking application is the most weak place in network security. You may think you're using "secure" application to read you e-mail or browse the web, but, in fact, there is no such thing as "secure application". |
| @offtopic | Any application has some bugs exploitable by remote attackers and disclosure of these bugs is just a question of time. During last few months’ security related bugs were found in almost all general network application. |
| @offtopic | For example look at mail readers: Outlook Express, Opera, Mozilla, Eudora, pine and even "mail" from different linux distributions were found vulnerable. |
| @offtopic | If there are no bugs in application itself, there are bugs in libraries the application uses or in the operation systems itself (for example The Bat! still uses vulnerable versions of few graphics and compression libraries). |
| @offtopic | The Situation with rest of networking application - browsers, messengers, peer-to-peer agents is even worse. |
| @offtopic | To build secure network you should have weakness of client applications in mind. The problem is that the most often way to secure client hosts is to use antiviral and content filtering software. |
| @offtopic | These methods are related to “security through obscurity” and can’t guaranty safety for client application, because they can only prevent client applications from vulnerabilities and attacks already generally known. |
| @offtopic | Can we provide any more reliable solution? |
| @offtopic | The problem of current networks is that obtaining control for client application attacker obtains all the access that the user of the vulnerable application has. |
| @offtopic | To solve the problem of networking application we have to prevent a potentially dangerous application from accessing sensitive data. |
| @offtopic | There are few approaches to solve this problem. You can try to solve this problem by means of application itself, for example via "security zones". |
| @offtopic | You can implement different levels of access for different application, to prevent potentially dangerous application from accessing data marking as sensitive (this approach is already implemented in few products, for example InfoSec's SecretNET and this is what Microsoft is about to implement in it's future products). |
| @offtopic | Or you can simply start dangerous application from different account with decreased rights via RunAs. |
| @offtopic | But we can try even more reliable solution - we will run an untrusted client application on a different dedicated host. |
| @offtopic | To implement this approach we will use terminal technologies to access networking applications located on dedicated server. |
| @offtopic | To prevent corporate network from attacks from this server in case it compromised we place this server in DMZ. |
| @offtopic | Now, we should have 2 DMZs - first one for network services, like SMTP, HTTP, etc and second one for client application, where we place our terminal services. |
| @offtopic | Terminal technologies eliminate the possibility of moving untrusted Internet data to corporate network. In case we need to access some files from Internet we can implement intermediate server to exchange files with moderate content control for all files. |
| @offtopic | We can allow or disallow users to use clipboard to move some text/graphical data from DMZ to corporate network by terminal services settings. |
| @offtopic | Now, let's try to implement this solution for relatively small organization with Windows 2000 Active Directory network and single ISA server. |
| @offtopic | We use the following scenario: |
| @offtopic | corporate namespace: dom.isec |
| @offtopic | corporate address space: 10.0.0.0/8 |
| @offtopic | Microsoft ISA Server internal address: 10.1.1.1/24 |
| @offtopic | http://www.security.nnov.ru/files/offtopic/Image1.gif |
| @offtopic | To allow terminal server to access user's accounts form Active Directory we use one of the domain servers with active directory installed. This server must be configured to hold global catalog role. |
| @offtopic | Active Directory server: 10.1.1.2/24, dc.dom.isec |
| @offtopic | To connect terminal server to MS ISA server and to create second DMZ for terminal services we use additional network adapter. |
| @offtopic | Network for DMZ is 192.168.1.0/24: |
| @offtopic | MS ISA Server DMZ address: 192.168.1.1/24 |
| @offtopic | Terminal Server address: 192.168.1.2/24 |
| @offtopic | MS ISA doesn't support Active Directory access from DMZ (Q329807), but we still can use RRAS (Remote Routing and Access Services) functionality of Windows 2000 to create second DMZ for terminal services instead of ISA Server tools. |
| @offtopic | RRAS is disabled on ISA server, so we should enable it. Now, we create filters to only allow Active Directory related traffic to Active Directory server. |
| @offtopic | Warning: Active Directory server should neither be used as a file server nor to store roaming profiles, if used, to avoid access to confidential information from terminal server. |
| @offtopic | We should allow: |
| @offtopic | UDP/88 - Kerberos service for authentication |
| @offtopic | UDP/123 - SNTP for time synchronization |
| @offtopic | TCP/389 - LDAP for querying Active Directory catalog |
| @offtopic | TCP/445 - CIFS/SMB for accessing group policy files |
| @offtopic | TCP/135 - RPC end point mapper to access RPC EndPointMapper |
| @offtopic | TCP/1026 - to access RPC-based Name Service Provider Interface. Usually this service uses dynamic port, which is published via RPC End Point Mapper, but we will fix this port number, as demonstrated in Q224196. |
| @offtopic | We allow few types of ICMP packets, for Domain Controller discovery. |
| @offtopic | In addition, we should allow RDP (Remote Desktop Protocol) TCP/3389 "TCP established" traffic from terminal server to client computers and traffic to TCP/8080 of ISA server itself to allow Internet access from Terminal Server. Access to ISA server and Internet from corporate network is no longer required. |
| @offtopic | We use both outbound filter for 10.1.1.1 interface (internal) and inbound filter for 192.168.1.1 (DMZ) interface. |
| @offtopic | Sorry, but i have not netsh for RRAS scripts now, but i can share it tomorrow |
| @offtopic | The rest of security related settings would be implemented through group policy. To prevent applying of standard domain policies to terminal server we create a different OU for the terminal server and set "Block policy inheritance" for this OU. |
| @offtopic | Because we use an Active Directory based policy, instead of the local ones, it will prevent policy from modification by intruder in case terminal server has been compromised. |
| @offtopic | We will use Baseline.inf from Microsoft Security Operation Guide and ocfilesw.inf standard template as a baseline for our settings. |
| @offtopic | We will do some additional settings to deny users access to MSGINA.DLL (to prevent DoS) and access to networking and administrative utilities. |
| @offtopic | We can limit access to wininet.dll, wsock32.dll, ws2_32.dll & netapi.dll. |
| @offtopic | To allow only selected applications to work we will place copies of these DLLs in application directories (we should care about explorer.exe, because it requires these DLLS, but best solution is to set Internet Explorer, iexplore.exe, as a start application). |
| @offtopic | In addition, we have to secure users profiles to deny files execution from these directories (.lnk in start menu and on the desktop needs no Execute permission to work). |
| @offtopic | This will prevent accidental launch of untrusted executables by user. Next, we should grant "Logon Locally" and "Access this computer from Network" rights only to users who actually need this access. |
| @offtopic | We can create either one "Internet Users" group or few groups based on type of access: "FTP users", "HTTP Users", "MAIL users", etc and use these groups on both ISA server and terminal server. |
| @offtopic | Warning: accounts with elevated rights should never have access to Internet. |
| @offtopic | We can also use policies to limit access from terminal server to network by implementing IPSec policies. |
| @offtopic | To automate IPSec policies with a batch we will use ipsecpol.exe from Windows 2000 Server Resource Kit. Example below demonstrates a trick of using IPSec policies for simple IP filtering: |
| @offtopic | Sorrryy! Listing is out... But we allow same ports Kerberos, SNTP, RDP, etc... |
| @offtopic | Besides we will set proxy settings and security zones settings (Windows Settings > Internet Explorer Maintains) to deny changing these settings for user (Administrative Templates > Internet Explorer) and limit the list of allowed applications (System > Run Only Allowed Windows Application). |
| @offtopic | To deploy centralized Outlook security settings we can import OUTLK10.ADM security template from Microsoft Office Resource Kit. |
| @offtopic | ote, that user based settings will be applied to all users, including administrators. In case of failure we will still be able to run administrative tools by booting Windows 2000 into "Safe mode with command prompt". Next, we set up MS ISA Server by limiting protocol access by groups. |
| @offtopic | ame approach can be used to implement access for VPN clients, because VPN clients have same problem: they connected to both untrusted Internet and secure corporate network. To limit VPN clients we can assign them with IP address from client DMZ. |
| @offtopic | http://www.security.nnov.ru/files/offtopic/Image2.gif |
| @offtopic | So, this is the end (c) Jimmy. |
| @sarnold | offtopic :) |
| @offtopic | Any questions? |
| @sarnold | well, if there aren't any more questions, then I think we'll wrap it up for a bit... |
| @sarnold | the next presentation is in an hour and twenty minutes; ismael briones will be presenting on ipv6 for home use :) |
| @sarnold | clap clap clap clap :) |
| @sarnold | thanks offtopic :) |
| krocz | CLAP CLAP CLAP |
| Vegas | was interesting offtopic |
| iaiox | thanks offtopic |
| garoeda | clap clap clap clap |
| @offtopic | If you know Russian - full version you can find in Windows & .Net Magazine/Russian Edition ;-) |
| Vegas | so every clients will have to connect through terminal server to access the internet is it ? |
| @sarnold | offtopic: hehehe :) |
| @sarnold | offtopic: pozdravlyayu :) |
| grey | seems like licensing for that could get expensive... [especially w/ w2k3 TS licensing] |
| @sarnold | offtopic: spasibo :) |
| @offtopic | grey: answer on #qc |
