Securing Your Windows Desktops and Servers

A guide to easily protecting your servers and workstations, using the tools that are already in your operating system ... and a few free add-ons, with a focus on centrally deployed, automated methods

 

 “... caulk for your security holes, applied with humor and energy ...”

a two-day course by Mark Minasi, author of Mastering Windows 2000 Server and Mastering Windows Server 2003 from Sybex

Schedule of dates and cities •  Course Objectives  •  Prerequisites •  Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor

Course Objectives

It's no surprise: security's a big concern.  Management's concerned.  Heck, you're concerned — after all, worms and viruses come thick and fast, anyone who's connected to the Internet but isn't worried about attacks is in la-la land, any user inside your network can cheaply buy books on how to hack the network from inside and ... well... yikes!  Clearly security's important, but how many firms have actually dug deep into their pockets and hired security specialists?  You know the answer — most haven't, or if they have, then they've missed the most important point:  security isn't a specialty.  It's like breathing, everyone's got to do it.  Unfortunately, though, while "we all" have to do security, in many firms nobody's releasing us from our other duties, and so without a bit of help, what used to be a 45 hour-a-week job could become a 60-hour-a-week job.

That's what this course is intended to address.  The course director, Mark Minasi, has been teaching people about LAN networking since 1984, and understands what's involved with keeping a network in one piece.  He often wryly comments that he hears the phrase "networking" and "not working" in too many places, and shows how to add "secure networking" to an admin's job without making him or her go home late.  (Well, not too late.)

And he'll show you how to do it in just two days.

But that's not the only reason that you'll find this course a good use of your time.  As with all of his other courses, Mark designed this course so that you could accomplish most of your goal of securing your network using the tools that you've already paid for, or with freely downloadable tools like Microsoft's Windows Software Update Service.  People often comment that Windows isn't secure, but they're only partially right.  Think of it this way:  suppose you bought a house with four doors to the outside and 30 windows, all of which have locks.   Is this house secure?  Well, that depends — are the 34 window and door locks locked or not?  Much of what makes Windows "insecure" just stems from the fact that Microsoft has built a fairly secure OS, but then left many of the locks unlocked so as to present an easy-to-use face to the world.  In this course, you'll learn what locks to engage, and why.  But you'll also learn that engaging some of those locks may exact a price either in terms of ease of use or of compatibility — you see, one of the reasons that Microsoft left some of those locks open was so that 2000, XP and 2003 could interoperate with Windows 9x!

Perhaps most important, however, is that all of the security education in the world isn't worth a thing if it doesn't make sense or is dull.  But Mark keeps the class lively with examples, anecdotes, analogies and clear explanations.  That's right — unlike other seminar companies, who hire one instructor to create a class and send others to "play back" the seminar, Mark teaches every one of our sessions.  You'll never get a second stringer, so get ready for a very packed day of security education!

Key Seminar Benefits

  • Learn how even the newest, most modern Windows systems have vulnerabilities, and how you can reduce or remove those vulnerabilities
  • Discover how to secure your Windows servers and desktops using tools already in the box — how to get the most out of what you've already paid for!
  • Crack open passwords to discover how they work under the hood and, most important, how to protect yours from prying eyes and the occasional security bug
  • Find out how to use Active Directory to configure your systems automatically
  • Know what security issues to worry about, and what ones not to worry about
  • See how to disable unnecessary legacy features that leave gaping holes in your systems
  • Develop an effective patch strategy
  • Control XP and 2003's built-in firewall through both command lines and group policies, or build custom firewalls with IPsec
  • Prepare for the worst with a disaster recovery strategy
  • Understand Windows login tools and methods — the options, their vulnerabilities, and how to secure them
  • See when to use Internet Connection Firewall and when not to, and how to use IPsec to create firewalls when ICF isn't the right answer
  • Get advice on what to audit and how to use that audit information
  • Meet the anonymous user and the "null session" and learn what to do about them
  • Protect yourself from possible Encrypting File System disasters
  • Get the most out of XP SP2 and 2003 SP1's security tools

Prerequisites

Most security courses seem to feel it necessary to make you sit through the "this is an Active Directory domain, this is a forest, this is an organizational unit" talk.  But we're skipping all that to save time and keep this course as short and information-dense as possible.  If you need to understand AD, we recommend our "Running a 2003/2000-Based Active Directory" course — you can find its outline at www.minasi.com/2003outln.htm.  We typically offer these courses together — first the AD course, then this one. 

Course Outline

  1. Introduction:  Security in the 21st Century

    Computer security's always been important, but e-mail viruses and bug-exploiting worms have upped the ante, creating the possibility of a single worst-case piece of cyber-terrorism that could in just a few hours bring down thousands of networks and perhaps the Internet itself.  But our increasing dependence on data stored in computers means that we don't need an apocalyptic Net-killing scenario to produce effects that could destroy the work of individual people, departments, or firms.  Security's a necessary evil, but it doesn't have to be a budget-busting one.

  2. Getting Ready:  Knowing When To Worry, And Not To Worry

    As security hazards have grown, so have the legion of people consulting on computer security.  While their mantra seems to be "you can never be secure enough," the fact is that there's no sense in spending a million dollars protecting an asset that can be replaced for a few thousand dollars.  Sure, security's important, but so is the bottom line.  This section quickly lays out a commonsense method for deciding how much to spend, when to spend it, and... sometimes ... when not to spend it.

    1. Who are the bad guys?
    2. What could they damage
    3. Where are the vulnerabilities?
    4. What would it cost you if the bad guys succeeded?
    5. How can you keep that from happening with the least expense in time and money?
    6. If it does happen, how can you most quickly recover?
    7. What policies must you have in place beforehand to minimize the risk and recover at top speed?

  3. Authentication and Authorization

    Perhaps the most fundamental part of any secure system is this pair of questions:  "who are you?" and "what are you allowed to do?"  This section quickly takes up these questions from a Windows point of view so that we can always remember to ask when examining a security technology "why are we doing this, anyway?"

    1. Why authenticate?
    2. Standard authentication approaches, and which ones Windows uses
    3. Authentication's output: tokens
    4. Why you (strangely enough) never "log onto a domain"
    5. Why authorize?
    6. How Windows authorizes: objects, actors, and permissions
    7. Talkin' authentication:  ACLs, DACLs, SACLs, ACEs, and more
    8. The types of things Windows gives ACLs
    9. Windows' awful user interface to permissions
    10. Dueling authentication
    11. Owners and ownership

  4. Inheritance:  When Good Permissions Get Propagated

    As with any system with layers and layers, the Windows world wants to save you trouble by letting you just touch one thing and have that touch affect everything under it.  But such a notion — "inheritance" — costs valuable time no matter how you implement it.  Here's how Windows' inheritance compromise does it, both the good and the bad — and, of course, how to do it most simply.

    1. Why inherit?
    2. How Windows implements inheritance
    3. Replace and Allow:  the check boxes that aren't check boxes
    4. Disinheriting
    5. When denies don't beat allows

  5. Crypto Concepts: Encryption, Hashing, Signing, Shared Secrets, Public Key and Certificates

    Authenticating and authorizing are great, but we do them over leaky, easy-to-eavesdrop-upon networks.  So all good networks need a way of protecting their secrets.  That's where cryptographic tools come in.  This quick overview of the crypto technologies in Windows is the key — no pun intended! — to understanding how Windows logons work and to evaluating their strengths and weaknesses.  We can't stress this strongly enough:  there's a lot of baloney to be found in the security world about whether X or Y technology is "cracked" or "broken" and without a basic knowledge of crypto, then all you can do is just shrug your shoulders and go with the most paranoid-sounding expert around, who often strangely has the most expensive solutions.  This section will make you a better security consumer!

    1. Why networks need cryptography, and why you're using it now, whether you realize it or not
    2. Encryption
      1. Parts: algorithm, cleartext, key, ciphertext
      2. Symmetric and asymmetric keys
      3. Big keys are long; why not always use them?
      4. Common encryption algorithms used in Windows
      5. Fake encryption algorithms
      6. Asymmetric encryption basics
    3. Hashes
      1. What hashes do
      2. Hashing versus encryption
      3. Hashing algorithms used in Windows
      4. Message signing with hashes and encryption
      5. How hashes are attacked:  the "birthday attack"
    4. Public Key Infrastructure (PKI)
      1. Public and private keys
      2. Certificates
      3. Signing certificates: the web of trust
      4. PKI examples: SSL and e-mail certificates
      5. Certificate revocation
      6. The bad news about Windows and certificate revocation

  6. Practical Talk About Passwords

    Passwords ... those things we'd love to forget about — but can't.  Like it or not, the fact is that the best-crafted security in the world can always be beaten by lousy passwords.  But everyone wants to pick passwords that are easy to remember and, well, "easy to remember" is usually equivalent to "easy to guess."  In this section, we introduce the topic of passwords and get ready in the following sections to see how they're stored and ultimately how to make them as secure in a practical sense as is possible.

    1. Complex or simple?
    2. Passwords as a carbon-based rather than a silicon-based problem
    3. Common sense about how often passwords should be changed
    4. Using — or not using — account lockouts

  7. Passwords II:  How They Get Attacked

    We're going to work on picking the best passwords soon.  But no matter how good your passwords are, the bad guys can still get to your passwords in other ways — but only if you let them.  A bit of backward compatibility built into every version of Windows, even 2003, makes it easy for the insider criminals to figure out passwords.  Learn in this section to separate the reality from the hysteria about password crackers and what to do about them.

    1. The four ways to steal a password — and technology can only help with two of them
    2. How Windows has stored passwords over the years
    3. Windows' greatest "security hole:" backward compatibility
    4. Storage internals:  LM hashes and NTLM hashes
    5. Getting to the hash
    6. System keys, machine keys and syskey
    7. Un-hashing the hash to get your passwords
      1. LM's special weakness
      2. Attacking NTLM hashes
      3. Dictionaries
      4. Brute force on modern PCs
      5. Pre-computing: the "rainbow attack"
    8. Why are these lame technologies in Windows today?

  8. Passwords III: Protecting Them

    Armed with what we've learned in the past two sections and with a bit of common sense, we can see how to keep the weasels from getting our passwords.

    1. Kill LM hashes
    2. Making NTLM hashes harder to un-hash
    3. Passphrases instead of passwords
    4. Passphrases versus the bad guys:  are they really less secure?
    5. Getting Windows to allow a 15+ character minimum
    6. Advice on choosing passwords

  9. Logins Revealed... and Secured

    Every day we log onto our Windows machines.  But what really happens when we do?  How do our workstations and domain controllers exchange logon information without revealing our passwords?  And why are they so gosh-darn many kinds of logins in the Windows world — LM, NTLM, NTLMv2, Kerberos?  Building on what we've learned so far, you'll see what happens under the ol' logon hood... and why you need to bolt down some of those options.

    1. The basic problem:  passing passwords without actually passing passwords
    2. Challenge mechanisms
    3. Session keys
    4. LM and NTLM authentication methods
    5. LM and NTLM problems and NTLMv2 answers
    6. How NTLMv2 logons work
    7. Configuring your systems for NTLMv2... even if you have Active Directory
    8. How your system chooses between the methods (you'll be surprised)
    9. Kerberos in Active Directory
      1. Overview
      2. Goal:  hook up users and services in a "session"
      3. Kerberos terminology: UPNs, SPNs, KDCs, TGS, TGT, AS and more
      4. Using the AS (Authentication Service) for initial logon
      5. How Kerberos tickets work
      6. Using the TGS (Ticket Granting Service) to connect to resources
      7. Kerberos theory and Microsoft practice
      8. When Kerberos is and isn't used in AD
      9. Configuring Kerberos with group policy settings
      10. Troubleshooting Kerberos failures
      11. Kerberos tools
    10. Securing the "secure channel" — signing and optionally encrypting DC/client communications

  10. Limiting Strangers:  Understanding Anonymous Logins or the "Null Session"

    Anonymous?  Isn't that just an FTP thing?  No, believe it or not, the "secure" NT family has a back door — the null session.  Just about anyone can walk up to your system and, provided port 139's available, that person can discover a fair amount of things about that system.  But you don't have to welcome the anonymous.  This section explains what null sessions are, why they exist, and when you can disable or limit them.

    1. How anonymous or null sessions happen
    2. What the anonymous can see
    3. Disabling anonymous (it's not just a Registry entry!)
    4. Demonstrating a null session

  11. Securing File Sharing: De-hacking SMB/CIFS

    Modern Windows supports dozens of network services, but the very first one was file and print sharing.  It's so old that it's woven into the operating system unlike any other service.  (Try disabling the Server service; you'll lose most of your remote administration tools.)  Its ubiquitous nature has made SMB/CIFS, the techie name for the file server service, a favorite point of attack for hackers.  Learn how to defend your systems from these attacks in this section.

    1. Introducing SMB and CIFS
    2. Hacking SMB with a "reflection attack"
    3. Other man-in-the-middle vulnerabilities
    4. The answer: SMB signing
    5. SMB signing as an "alcoholic's anonymous" protocol:  how negotiation happens
    6. Enabling SMB signing on Win 9x, NT, 2000, XP Pro, 2003

  12. Protecting Laptop Files: the Encrypting File System (EFS) Without Tears

    One way to keep the bad guys from getting to your data is by encrypting it, as Windows' Encrypting File System can do.  But without a bit of preparation, EFS can ensure that not only do the bad guys not get to your data — you can't get to it either!  In this section, you'll learn how EFS works and what to do to ensure that you'll be able to snatch back your data in the event of memory failure on either your part or the computer's.

    1. How EFS works:  its keys, how they're encrypted, and where they're stored
    2. How EFS might not work:  possible failure modes
    3. EFS problems and solutions
    4. Protecting yourself from EFS:  four methods
      1. Installing data recovery agents or using domain-based recovery agents
      2. Backing up an EFS certificate and restoring it
      3. Disabling EFS with group policies or Registry settings
      4. Re-installing an old password

  13. E-Spackle:  Sealing The Cracks

    Is your system secure today?  Great — but what about tomorrow?  Many times the way that the bad guys get you is through a loose end, some bit of maintenance that doesn't get done.  This section shows you how to take the "scissors" to those loose ends.  And we start with one of Windows' biggest loose ends — the Administrator account.

    1. Getting rid of "Administrator"
      1. What to do with local Administrator accounts on workstations:  maybe setting the local Administrator account's password to the same value on 300 workstations isn't such a good idea!
      2. Reducing Administrator's power
      3. XP and 2003:  eliminating Administrator
      4. Spending most of your day as a user:  Runas review and tricks... and limitations
    2. Cleaning up dead accounts
    3. Policing share permissions
    4. Auditing logon scripts

  14. Watching The Store:  Using Auditing

    The Bad Thing happens and someone's attacked your system.  How'd it happen?  Whodunnit?  What can we do to ensure that it doesn't happen again?  Ever since NT 3.1, NT's had the ability to record audit trails that let you watch who's trying to get at your protected stuff.  Imagine a thief  was rattling your doorknobs looking for an open door; it's a frightening scenario, but consider how much more frightening it'd be if you couldn't hear!  Audit tools are your "hearing aids," this section shows you how to make them a good fit. And if you've been wise enough to install 2003 SP1 or XP Pro SP2 then you'll be able to employ a nice tool to keep the Security log slim called "per-user auditing."

    1. How auditing works
    2. What to audit and what not to audit
    3. Now that you've got 'em, what to do with 'em?  Time-efficient methods for managing and using audit logs
    4. Microsoft's Audit Control Service (ACS), a security log aggregator
    5. The foxes and the henhouse:  auditing audit logs
    6. Figuring out logs — event IDs
    7. Keeping the security log smaller: per-user auditing
      1. Largely undocumented SP2/SP1 feature
      2. Command-line syntax
      3. Examples
      4. Sample output

  15. Hardening Ports In XP and 2003:  Understanding Windows Firewall

    When XP and 2003 first appeared, they included a firewall that seemed kind of lame but innocuous, as it was disabled by default.  But when you install XP's service pack 2 then you'll discover that the Windows Firewall (WF) is enabled, whether you like it or not.  While it takes a little getting used to, it can be a real security enhancement; it may even make sense to run it on some Windows 2003 servers (after installing SP1).  This section shows you how to get the most out of WF, with the least effort.

    1. How Windows Firewall works
      1. Inbound traffic only
      2. Stateful packet inspection
      3. Enabled before the stack starts
      4. Two personalities:  the domain profile and the mobile profile
    2. Enabling WF:  pro and con
      1. Firewalls and mobile computers
      2. Firewalls inside an intranet?
      3. Considerations for those leaving WF on inside a firewall
    3. Configuring WF nuts and bolts:  the command line
    4. Configuring WF nuts and bolts: group policies
    5. Opening ports the minimalist way
    6. Using WF's IPsec bypass
    7. Getting WF to behave differently inside and outside the company buildings

  16. Hardening Ports Under 2000:  IPsec

    If you've got 2000 systems in your network, then you might wish that you had a software firewall like WF... but unfortunately WF doesn't come with 2000 and there's no way to add it.  You could, of course, spend money on a third-party personal firewall, but you might alternatively want to exploit a less-understood gem built into 2000, IPsec.  This section acquaints you with IPsec's port blocking features and suggests how you might create your own software firewall with nothing more expensive than a batch file!

    1. What is IPsec?
      1. Policies = one or more rules
      2. Rules = Filters + Actions + Authentication
      3. Authentication = shared password, Kerberos, PKI
      4. Filters explained
      5. Actions = block, pass, sign, encrypt
    2. How to configure IPsec
      1. With group policies
      2. From the command line
    3. Suggestions for using IPsec
    4. Examples: see how to do it, step by step

  17. Go Forth and SYN No More:  Hardening TCP/IP

    The Internet's lingua franca, TCP/IP, is a pretty good way of getting data from here to there reliably.  But TCP/IP's protocols assume a certain amount of rational cooperation on both sides.  Unfortunately criminals can exploit that assumption to attack workstations and servers and render them incapable of networking or even functioning.  See how to avert this in this section.

    1. The three-way handshake
    2. Exploiting good will with a SYN attack
    3. SYN floods, Smurf attacks and the like
    4. Spoofing IPs:  what to worry about and what not to worry about
    5. Fixes to ward off SYN/Smurf attacks

  18. Hardening Programs I: Blocking Bad Programs With Software Restrictions

    Next, we move to a series of sections about hardening particular programs, and we'll start by seeing how to "harden" some programs by keeping them from running on our systems altogether!  The first technology to help with that is XP and 2003's built-in Software Restrictions Policy feature.

    1. How Software Restrictions works
    2. Specifying particular applications
    3. Making the new SR policy take effect
    4. What to do when you've locked yourself out
    5. Suggestions for using SR to help secure your system

  19. Hardening Programs II: Blocking Those Evil ActiveX Controls

    While it may not be an actual operating system, Internet Explorer sure acts like one, as it hosts its own special kinds of programs (ActiveX controls, in-browser client-side scripts, and Browser Helper Objects — BHOs, those irritating spyware things) and even has a way to automatically start them up at run-time.  (Surely when we say "Gator," you don't always think of large reptiles.)  Want to learn how to use a neat SP1/SP2 feature to block these guys through group policies?  You will in this section.

    1. How the SP1/SP2 "add-on control" feature works
    2. Creating a "whitelist" of approved ActiveX/BHO apps
    3. Creating a "blacklist" of forbidden ActiveX/BHO apps

  20. Hardening Programs III:  Securing Services

    One of Windows' most wondered-about and least understood aspects are its services, those programs that run either with or without you and that seem to provide so much angst for a network's defenders.  This section outlines a three-step process to shore up your services, offering clear advice on how to reduce the chance that a bad guy will crawl into your system through one of your services.

    1. Eliminating unnecessary services:  what can you turn off to make your system faster, less RAM-intensive, and a smaller target?
    2. Restricting the power of existing services:  if you have to have them, limit the damage they could do
    3. Using permissions to further restrict a service's power
    4. Tips on securing IIS

  21. Windows Server 2003's Security Expert:  Security Configuration Wizard

    2003 SP1 shipped with a powerful security advisor called the Security Configuration Wizard.  While simple to run, it's an expert program hardening tool. It's got a lot of power and deserves a place in your toolbelt.  This section explains what it does and how to get the most out of it.


  22. Hardening Programs IV: Securing Programs Against SQL Injection

    Many of our organizations build and run Web-based applications built atop SQL database engines, as it's become so easy to do it.  But many SQL-based Web apps are ticking time bombs because of a class of attacks called "SQL injection" attacks, which can quite easily give an attacker complete control of a Web server.  There is not, nor will there ever be, a patch for this — this is something you've got to check into on your own systems.  Preferably before an outsider does.

    1. What is SQL injection?
    2. Example SQL injection attack
    3. Hardening systems against SQL injection

  23. Hardening Programs V: Patch Management With SUS
    1. The role of patching in securing your network, and the role of testing patches in securing your network
    2. Software Update Services
      1. What SUS does and what it requires
      2. Getting the SUS code
      3. Installing SUS
      4. Setting up the server
      5. Maintaining the server
      6. Watching client updates
    3. The SUS client — Windows Update
      1. Do you need an updated SUS client?
      2. Configuring the SUS client via the Registry and group policies
      3. Understanding detection, download, installation and reboot phases
      4. Tracking the SUS client's behavior
      5. SUS limitations and workarounds
      6. SUS troubleshooting
      7. WSUS changes to SUS

  24. The Ultimate User Protection:  Training

    Finally, we move into our final sections, on hardening people, with some simple training and processes. Yes, everyone talks as if users were untrainable, but that's not a useful strategy, and here's why:  apathetic or antagonistic users can always, always, always beat really, really, really good security.  Here are a few simple, logical, and proven ways to make users your first line of defense, instead of your fifth column.

  25. Disaster Recovery

    Okay, you've done a good job keeping the moats full (of both water and alligators), the portcullis shiny and deployed, and the boiling oil vats full and ... well ... boiling.  But then something happens anyway.  Perhaps a particularly clever enemy sneaks by your defenses in the guise of a friend, or random fate deals you an earthquake.  Once we're past the "omigod, this is a mess!" phase — and we have to get past it quickly, as people depend on us and what we do — then it's time to rebuild.  And that's easier with a blueprint.  Disaster recovery (DR) plans are those blueprints.  No one likes to talk about the scenario wherein the mail servers have gone quiet and provide nothing more than smoke, but those scenarios can happen.  This section discusses the genesis,care and feeding of DR plans.

    1. What a DR plan can do
    2. What DR plans look like
    3. Testing your DR plan
    4. The DR plan that works under stress:  scripts

  26. Physical Security

    We techies tend to think of problems and solutions as virtual in nature.  Someone might attack us on port X at address Y via a bug in program Z — all virtual notions — and we defend ourselves with better passwords, good patching practices, or perhaps a firewall:  more virtual notions.  But if I can get into the room where you keep your domain controllers — that is, get physically close to those systems — then I don't need a password to attack your systems, just a screwdriver or a pry bar.  This section offers some very simple common sense on protecting your systems from physical attack.

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture format.

Arranging a Course At Your Location

We offer this class as a public seminar about a half-dozen times a year; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.

Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern time or email Assistant@Minasi.com to discuss scheduling and fees.