defense-in-depth against malicious software rick claus / bruce cowper it pro advisors microsoft...

Defense-in-Depth Defense-in-Depth Against Malicious Against Malicious SoftwareSoftware

Rick Claus / Bruce CowperRick Claus / Bruce Cowper

IT Pro AdvisorsIT Pro Advisors

Microsoft CanadaMicrosoft Canada

Session PrerequisitesSession Prerequisites

Hands-on experience with Hands-on experience with Microsoft Windows Server and Microsoft Windows Server and Active DirectoryActive Directory

Basic understanding of Basic understanding of network security fundamentalsnetwork security fundamentals

Basic understanding of Basic understanding of concepts related to malicious concepts related to malicious softwaresoftware

Level 200

Session OverviewSession Overview

Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software

Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and

RecoveryRecovery

Understanding the Characteristics Understanding the Characteristics of Malicious Softwareof Malicious Software



RecoveryRecovery

Malicious Software: Identifying Malicious Software: Identifying Challenges to an OrganizationChallenges to an Organization

Malware: A collection of software developed to intentionally perform malicious tasks on a computer system Malware: A collection of software developed to intentionally perform malicious tasks on a computer system

Feedback from IT and security professionals includes:Feedback from IT and security professionals includes:

“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”

“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”

“We didn’t know our servers needed to be updated.”

“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”

“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”

“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”

“We didn’t know our servers needed to be updated.”

“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”

Understanding Malware Attack Understanding Malware Attack TechniquesTechniques

Common malware attack techniques include:Common malware attack techniques include:

Social engineering

Backdoor creation

E-mail address theft

Embedded e-mail engines

Exploiting product vulnerabilities

Exploiting new Internet technologies

Social engineering

Backdoor creation

E-mail address theft

Embedded e-mail engines

Exploiting product vulnerabilities

Exploiting new Internet technologies

Understanding the Vulnerability Understanding the Vulnerability TimelineTimeline

Product Product shippedshipped

VulnerabilityVulnerabilitydiscovereddiscovered

Update made Update made availableavailable

Update deployedUpdate deployedby customerby customer

VulnerabilityVulnerabilitydiscloseddisclosed

Most attacks occur here

Understanding the Exploit TimelineUnderstanding the Exploit Timeline

Product Product shippedshipped

VulnerabilityVulnerabilitydiscovereddiscovered

Update made Update made availableavailable

Update deployedUpdate deployedby customerby customer

VulnerabilityVulnerabilitydiscloseddisclosed

Exploit

Days between Days between update and exploit update and exploit

have decreasedhave decreased

Identifying Common Malware Identifying Common Malware Defense MethodsDefense Methods

Malware AttackMalware Attack Defense MethodDefense Method

MydoomMydoomBlock port 1034 Block port 1034 Update antivirus signatures Update antivirus signatures Implement application securityImplement application security

SasserSasser Block ports 445, 5554, and 9996Block ports 445, 5554, and 9996Install the latest security update Install the latest security update

BlasterBlaster

Install the latest security update Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. and TCP 4444 for remote command shell. Update antivirus signatures Update antivirus signatures

SQL SlammerSQL Slammer Install the latest security update Install the latest security update Block UDP port 1434 Block UDP port 1434

Download.JectDownload.JectInstall the latest security update Install the latest security update Increase security on the Local Machine zone in Internet Increase security on the Local Machine zone in Internet ExplorerExplorerClean any infections related to IIS Clean any infections related to IIS

Malware Defense: Best PracticesMalware Defense: Best Practices

Stay informedStay informed

Implement application security Implement application security

Restrict local administration rightsRestrict local administration rights

Implement security and antivirus update management Implement security and antivirus update management

Implement firewall protectionImplement firewall protection

Malware Defense-in-DepthMalware Defense-in-Depth



RecoveryRecovery

What Is Defense-in-Depth?What Is Defense-in-Depth?

Using a layered approach:Using a layered approach:Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

Applying Defense-in-Depth to Applying Defense-in-Depth to Malware DefenseMalware Defense

Policies, procedures, and awarenessPolicies, procedures, and awareness

Physical securityPhysical security

Perimeter

Internal network

Network defenses

Host

Application

Data

Client defenses

Server defenses

Host

Application

Data

Implementing Host Protection Implementing Host Protection Policies, Procedures, and AwarenessPolicies, Procedures, and Awareness

Recommended policies and procedures include:Recommended policies and procedures include:

Host protection defense policies: Scanning policy Signature update policy Allowed application policy

Host protection defense policies: Scanning policy Signature update policy Allowed application policy

Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy

Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy

Security update policy:1. Assess environment to

be updated2. Identify new updates3. Evaluate and plan

update deployment4. Deploy the updates

Security update policy:1. Assess environment to

be updated2. Identify new updates3. Evaluate and plan

update deployment4. Deploy the updates

Implementing Physical Security Implementing Physical Security and Antivirus Defenseand Antivirus Defense

Elements of an effective physical defense plan include:Elements of an effective physical defense plan include:

Server computers Server computers

Network access points Network access points

Premises security Premises security

Personnel security Personnel security

Mobile computers and devices Mobile computers and devices

Workstation computers Workstation computers

Malware Defense for Client Malware Defense for Client ComputersComputers



RecoveryRecovery

Protecting Client Computers: Protecting Client Computers:

What Are the Challenges?What Are the Challenges?Challenges related to protecting client computers include:Challenges related to protecting client computers include:

• Implementing data storage policies• Implementing data security• Regulatory compliance

• Implementing data storage policies• Implementing data security• Regulatory compliance

Data challenges

• Controlling application usage• Secure application configuration settings• Maintaining application security updates

• Controlling application usage• Secure application configuration settings• Maintaining application security updates

Application challenges

• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall

• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall

Host challenges

Implementing Client-Based Implementing Client-Based Malware DefenseMalware Defense

Steps to implement a client-based defense include:Steps to implement a client-based defense include:

Reduce the attack surfaceReduce the attack surface11

Install antivirus softwareInstall antivirus software44

Enable a host-based firewall Enable a host-based firewall 33

Test with configuration scannersTest with configuration scanners55

Use least-privilege policiesUse least-privilege policies66

Apply security updatesApply security updates22

Restrict unauthorized applicationsRestrict unauthorized applications77

Choosing an Update Management Choosing an Update Management Solution for Malware DefenseSolution for Malware Defense

Customer Customer typetype ScenarioScenario SolutionSolution

ConsumerConsumer All scenariosAll scenarios Windows Windows UpdateUpdate

Small Small organizatiorganizationon

Has no Windows serversHas no Windows servers Windows Windows UpdateUpdate

At least one Windows 2000At least one Windows 2000or newer servers and one IT administratoror newer servers and one IT administrator

MBSA and MBSA and SUSSUS

Medium-Medium-sized or sized or large large enterpriseenterprise

Wants a update management solution Wants a update management solution with basic level of control that updates with basic level of control that updates Windows 2000 and newer versions of Windows 2000 and newer versions of WindowsWindows

MBSA and MBSA and SUSSUS

Wants a single flexible update Wants a single flexible update management solution with extended level management solution with extended level of control to update and distribute all of control to update and distribute all softwaresoftware

SMSSMS

Understanding the Benefits of Understanding the Benefits of Software Update ServicesSoftware Update Services

Gives administrators basic control over update management

Administrators can review, test, and approve updates before deployment

Simplifies and automates key aspects of the update management

processCan be used with Group

Policy, but Group Policy is not required to use SUS

Easy to implement Free tool from Microsoft

Gives administrators basic control over update management

Administrators can review, test, and approve updates before deployment

Simplifies and automates key aspects of the update management

processCan be used with Group

Policy, but Group Policy is not required to use SUS

Easy to implement Free tool from Microsoft

SUS—How It WorksSUS—How It Works

ParentSUS server

Windows update

Child SUS server

Internet

Client computers

Client computers

Internal Network10.10.0.0/16

Internet

London.nwtraders.msftDomain Controller

Exchange Server 2003IIS 6.0 Server

Software Update ServicesDNS Server

Enterprise CA Server10.10.0.2/16

Vancouver.nwtraders.msftISA Server 2004

10.10.0.1/16131.107.0.1/16

Denver.nwtraders.msftWindows XP SP2

Office 2003131.107.0.1/16

Glasgow.nwtraders.msftMIIS Server

ADAM Server10.10.0.3

131.107.0.8


Office 200310.10.0.10/16

Brisbane.northwindtraders.msftDomain Controller

IIS 6.0 Server10.10.0.20

Demonstration 1: Configuring Demonstration 1: Configuring Software Update Services to Software Update Services to Deploy Security UpdatesDeploy Security Updates

Configure Software Configure Software Update Services to deploy Update Services to deploy security updatessecurity updates

Configuring Applications to Configuring Applications to Protect Client ComputersProtect Client Computers

Applications that may be malware targets include:Applications that may be malware targets include:

E-mail client applicationsE-mail client applications

Desktop applicationsDesktop applications

Instant messaging applicationsInstant messaging applications

Web browsersWeb browsers

Peer-to-peer applicationsPeer-to-peer applications

Managing Internet Explorer Managing Internet Explorer Browser SecurityBrowser Security

Security FeatureSecurity Feature DescriptionDescription

MIME security MIME security improvementsimprovements

Consistency checksConsistency checks Stricter rulesStricter rules

Better security Better security managementmanagement

Add-on control and management featuresAdd-on control and management features Better promptsBetter prompts New script-initiated windows restrictionsNew script-initiated windows restrictions

Local Machine Local Machine zonezone

Ability to control security in the local Ability to control security in the local machine zone machine zone

Feature Control Feature Control Security Zone Security Zone settingssettings

MIME sniffingMIME sniffing Security elevationSecurity elevation Windows restrictionWindows restriction

Group Policy Group Policy settingssettings

Administrative control for feature control Administrative control for feature control security zones security zones


Internet


Exchange Server 2003IIS 6.0 Server

Software Update ServicesDNS Server



10.10.0.1/16131.107.0.1/16


Office 2003131.107.0.1/16



131.107.0.8


Office 200310.10.0.10/16


IIS 6.0 Server10.10.0.20

Demonstration 2: Demonstration 2: Configuring Client-Based Configuring Client-Based ApplicationsApplications

Configure client Configure client applications to defend applications to defend against malwareagainst malware

Blocking Unauthorized Applications Blocking Unauthorized Applications with Software Restriction Policieswith Software Restriction Policies

Software restriction policies:Software restriction policies:

Can be set to: Unrestricted

Disallowed

Can be set to: Unrestricted

Disallowed

Can be applied to the following rules:

Hash

Certificate

Path

Zone

Can be applied to the following rules:

Hash

Certificate

Path

Zone

Can be used to: Fight viruses

Control ActiveX downloads

Run only signed scripts

Ensure approved software is installed

Lock down a computer

Can be used to: Fight viruses

Control ActiveX downloads

Run only signed scripts

Ensure approved software is installed

Lock down a computer

New Security Features in New Security Features in Windows FirewallWindows Firewall

On by defaultOn by default

Boot-time securityBoot-time security

Global configuration and restore defaultsGlobal configuration and restore defaults

Local subnet restrictionsLocal subnet restrictions

Command-line supportCommand-line support

On with no exceptionsOn with no exceptions

Windows Firewall exceptions listWindows Firewall exceptions list

Multiple profilesMultiple profiles

RPC supportRPC support

Unattended setup supportUnattended setup support

Configuring Windows Firewall Configuring Windows Firewall for Antivirus Defensefor Antivirus Defense

Protecting Client Computers: Protecting Client Computers: Best PracticesBest Practices

Identify threats within the host, application, and data layers of the defense-in-depth strategyIdentify threats within the host, application, and data layers of the defense-in-depth strategy

Implement software restriction policies to control applications Implement software restriction policies to control applications

Implement an effective security update management policyImplement an effective security update management policy

Implement an effective antivirus management policy Implement an effective antivirus management policy

Use Active Directory Group Policy to manage application security requirementsUse Active Directory Group Policy to manage application security requirements

Malware Defense for ServersMalware Defense for Servers



RecoveryRecovery

Protecting Servers: What Are the Protecting Servers: What Are the Challenges?Challenges?

Challenges to protecting servers include:Challenges to protecting servers include:

Maintaining reliability and performance

Maintaining security updates

Maintaining antivirus updates

Applying specialized defense solutions based upon server role

Maintaining reliability and performance

Maintaining security updates

Maintaining antivirus updates

Applying specialized defense solutions based upon server role

What Is Server-Based Malware What Is Server-Based Malware Defense?Defense?

Basic steps to defend servers against malware include:Basic steps to defend servers against malware include:

Reduce the attack surfaceReduce the attack surface

Analyze using configuration scannersAnalyze using configuration scanners

Enable a host-based firewall Enable a host-based firewall

Apply security updatesApply security updates

Analyze port informationAnalyze port information

Implementing Server-Based Implementing Server-Based Host Protection SoftwareHost Protection Software

Considerations when implementing server-based antivirus software include:Considerations when implementing server-based antivirus software include:

CPU utilization during scanning

Application reliability

Management overhead

Application interoperability

CPU utilization during scanning

Application reliability

Management overhead

Application interoperability

Protecting Server-Based ApplicationsProtecting Server-Based Applications

Applications that typically have specialized host protection implementations include:Applications that typically have specialized host protection implementations include:

ApplicationApplication ExampleExample

Web serversWeb servers Internet Information Internet Information Services (IIS)Services (IIS)

Messaging Messaging serversservers Microsoft Exchange 2003Microsoft Exchange 2003

Database Database serversservers Microsoft SQL Server 2000Microsoft SQL Server 2000

Collaboration Collaboration serversservers

Microsoft SharePoint Portal Microsoft SharePoint Portal Server 2003Server 2003


Internet


Exchange Server 2003IIS 6.0 ServerDNS Server



10.10.0.1/16131.107.0.1/16


Office 2003131.107.0.1/16



131.107.0.8


Office 200310.10.0.10/16


IIS 6.0 Server10.10.0.20

Demonstration 3: Demonstration 3: Using ISA Server 2004 SMTP Using ISA Server 2004 SMTP Message ScreenerMessage Screener

Implement the SMTP Implement the SMTP message screenermessage screener

Protecting Servers: Best PracticesProtecting Servers: Best Practices

Consider each server role implemented in your organization to implement specific host protection solutions

Consider each server role implemented in your organization to implement specific host protection solutions

Stage all updates through a test environment before releasing into production Stage all updates through a test environment before releasing into production

Deploy regular security and antivirus updates as requiredDeploy regular security and antivirus updates as required

Implement a self-managed host protection solution to decrease management costsImplement a self-managed host protection solution to decrease management costs

Network-Based Malware DefenseNetwork-Based Malware Defense



RecoveryRecovery

Protecting the Network: Protecting the Network: What Are the Challenges?What Are the Challenges?

Challenges related to protecting the network layer include:Challenges related to protecting the network layer include:

Balance between security and usability

Lack of network-based detection or monitoring for attacks

Balance between security and usability

Lack of network-based detection or monitoring for attacks

Implementing Network-Based Implementing Network-Based Intrusion-Detection SystemsIntrusion-Detection Systems

Important points to note:Important points to note:

Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected

ISA Server 2004 provides network-based intrusion-detection abilities

Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected

ISA Server 2004 provides network-based intrusion-detection abilities

Provides rapid detection and reporting of external malware attacks

Provides rapid detection and reporting of external malware attacks

Network-based intrusion-detection system

Network-based intrusion-detection system

Implementing Application Layer Implementing Application Layer FilteringFiltering

Application layer filtering includes the following:Application layer filtering includes the following:

Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data

Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol


Internet


Exchange Server 2003IIS 6.0 ServerDNS Server



10.10.0.1/16131.107.0.1/16


Office 2003131.107.0.1/16



131.107.0.8


Office 200310.10.0.10/16


IIS 6.0 Server10.10.0.20

Demonstration 4: Demonstration 4: Implementing Filtering with ISA Implementing Filtering with ISA Server 2004Server 2004

Implement filtering with Implement filtering with ISA Server 2004ISA Server 2004

Understanding Quarantine Understanding Quarantine NetworksNetworks

Standard features of a quarantine network include:Standard features of a quarantine network include:

Typically restricted or blocked from gaining access to internal resources Typically restricted or blocked from gaining access to internal resources

Provides a level of connectivity that allows temporary visitors’ computers to work productively without risking the security of the internal network

Provides a level of connectivity that allows temporary visitors’ computers to work productively without risking the security of the internal network

Currently only available for VPN remote access solutionsCurrently only available for VPN remote access solutions

Protecting the Network: Best Protecting the Network: Best PracticesPractices

Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites

Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites

Have an incident response planHave an incident response plan

Implement automated monitoring and report policies Implement automated monitoring and report policies

Implement ISA Server 2004 to provide intrusion- detection capabilitiesImplement ISA Server 2004 to provide intrusion- detection capabilities

Malware Outbreak Control and Malware Outbreak Control and RecoveryRecovery



RecoveryRecovery

How to Confirm the Malware How to Confirm the Malware OutbreakOutbreak

The process for infection confirmation includes:The process for infection confirmation includes:

Reporting unusual activity

Gathering the basic information

Evaluating the data

Gathering the details

Responding to unusual activity

False alarm?

Hoax?

Known infection?

New infection?

Reporting unusual activity

Gathering the basic information

Evaluating the data

Gathering the details

Responding to unusual activity

False alarm?

Hoax?

Known infection?

New infection?

How to Respond to a Malware How to Respond to a Malware OutbreakOutbreak

Outbreak control mechanism tasks include:Outbreak control mechanism tasks include:Disconnect the compromised systems from the network

Isolate the network(s) containing the infected hosts

Disconnect the network from all external networks

Research outbreak control and cleanup techniques

Disconnect the compromised systems from the network

Isolate the network(s) containing the infected hosts

Disconnect the network from all external networks

Research outbreak control and cleanup techniques

Examples of recovery goals include:Examples of recovery goals include:Minimal disruption to the organization’s business

Fastest possible recovery time

The capture of information to support prosecution

The capture of information to allow for additional security measures to be developed

Prevention of further attacks of this type

Minimal disruption to the organization’s business

Fastest possible recovery time

The capture of information to support prosecution

The capture of information to allow for additional security measures to be developed

Prevention of further attacks of this type

How to Analyze the Malware How to Analyze the Malware OutbreakOutbreak

The following analysis tasks help you to understand the nature of the outbreak: The following analysis tasks help you to understand the nature of the outbreak:

Checking for active processes and services

Checking the startup folders

Checking for scheduled applications

Analyzing the local registry

Checking for corrupted files

Checking users and groups

Checking for shared folders

Checking for open network ports

Checking and exporting system event logs

Running MSCONFIG

Checking for active processes and services

Checking the startup folders

Checking for scheduled applications

Analyzing the local registry

Checking for corrupted files

Checking users and groups

Checking for shared folders

Checking for open network ports

Checking and exporting system event logs

Running MSCONFIG

How to Recover from a Malware How to Recover from a Malware OutbreakOutbreak

Use the following process to recover from a virus outbreak:Use the following process to recover from a virus outbreak:

Restore missing or corrupt dataRestore missing or corrupt data

Remove or clean infected filesRemove or clean infected files

Reconnect your computer systems to the network Reconnect your computer systems to the network

Confirm that your computer systems are free of malwareConfirm that your computer systems are free of malware

11

33

44

22

How to Perform a Postrecovery How to Perform a Postrecovery AnalysisAnalysis

Postrecovery analysis steps include the following:Postrecovery analysis steps include the following:

Postattack review meeting Postattack review meeting

Postattack updatesPostattack updates

Session SummarySession Summary

Understanding malware will help you to implement an effective defense against malware attacks Understanding malware will help you to implement an effective defense against malware attacks

Use a defense-in-depth approach to defend against malwareUse a defense-in-depth approach to defend against malware

Harden client computers by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy

Harden client computers by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy

Stage all updates through a test server before implementing into production, in order to minimize disruption Stage all updates through a test server before implementing into production, in order to minimize disruption

ISA Server 2004 can be used to implement network defenses, such as application layer filtering, message screening, and network quarantine

ISA Server 2004 can be used to implement network defenses, such as application layer filtering, message screening, and network quarantine

An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption

An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption

Next StepsNext Steps

Microsoft Technet CanadaMicrosoft Technet Canadahttp://www.microsoft.ca/technethttp://www.microsoft.ca/technet

Find additional security training events:Find additional security training events:http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspx

Sign up for security communications:Sign up for security communications:http://www.microsoft.com/technet/security/signup/http://www.microsoft.com/technet/security/signup/default.mspxdefault.mspx

Order the Security Guidance Kit: Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/http://www.microsoft.com/security/guidance/order/default.mspxdefault.mspx

Get additional security tools and content:Get additional security tools and content:http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

Questions and AnswersQuestions and Answers

Team Blogs:Team Blogs:http://blogs.msdn.com/brucecowperhttp://blogs.msdn.com/brucecowper

http://blogs.msdn.com/rclaushttp://blogs.msdn.com/rclaus

defense-in-depth against malicious software rick claus / bruce cowper it pro advisors microsoft...

Documents

depth malware defense

organization malware

antivirus software

available update

malicious software level

recovery slide

latest security update

collection of software