microsoft days 09 windows 2008 security

IT Professionals

IT ProfessionalsKempinski Hotel Zografski Sofia

IT Professionals

April 12, 2023 2

Windows Server 2008 Security Improvements

Deniz KayaMicrosoft, Cisco, Ironport, Mile2 Instructor atMCT, MCSE, CCSI, CCSP, CCNP, ICSI, ICSP, CPTS

IT Professionals IT Professionals

• Windows Firewall with Advanced Security• Server and Domain Isolation• Server Core• Windows Service Hardening• Read-Only Domain Controllers• Fine-grained Password Policy• Network Access Protection

April 12, 2023 3

Agenda

IT Professionals IT ProfessionalsWindows Firewall with Advanced Security

Combined firewall and IPsec management– New management tools – Windows Firewall with Advanced Security MMC

snap-in – Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent– Specify security requirements such as

authentication and encryption– Specify Active Directory computer

or user groups

Outbound filtering– Enterprise management feature –

not for consumers

Simplified protection policyreduces management overhead


Windows Firewall w/ Advanced Security

Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking

IT Professionals IT Professionals Server & Domain Isolation

Domain IsolationProtect managed computers from unmanaged

or rogue computers and users

Protect specific high-value servers and dataServer Isolation

IT Professionals IT ProfessionalsIsolation Solution Details

Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy:

– Domain membership is required to access trusted resources.– Expands the use of supportive tools like Microsoft Systems Management Server (SMS) 2003 or

Windows Server® Update Service (WSUS).

Authentication is based on machine and user credentials:– Kerberos, X.509 certificates, NTLM version 2 (NTLMv2), NAP health certificates

Policies are enforced at the network layer by IPsec:– Uses IPsec transport mode for end-to-end security and Network Address Translation (NAT)

traversal– Packets encapsulated with Encapsulating Security Payload (ESP) or Authentication Header (AH) for

authentication and integrity – Optionally, encryption of highly sensitive network traffic

Policy Management Authentication Enforcement


Demo

Windows Firewall with Advanced Security Server & Domain Isolation

IT Professionals IT ProfessionalsServer Core

Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems

Windows Server Core

GUI, CLR, Shell, IE, OE, etc.

WSv

DHCP

DNS

File Print

Only a subset of the executable files and DLLs installedNo GUI interface installed9 available Server RolesCan be managed with remote tools

AD DS

AD LDS

Media

IIS 7

IT Professionals IT ProfessionalsServer Core and Roles• Windows Server is frequently deployed to support a

single role or a fixed workload– Despite a fixed workload, still have to deploy and service all

of Windows Server– Services not essential to the workload have costs for

servicing, security, and management.• IT Staff and IT Skills are technology role-centric

– Active Directory Administrators don’t usually administer web servers

– Skill sets for SQL Administration are not highly transferable to DHCP administration


Service Hardening

Windows Service Hardening

• Built-in accounts for easy management– No password management

requirements– LocalSystem

• Very powerful and has most privileges – use cautiously

– LocalService and NetworkService• Greatly reduced privilege set• Network Service uses machine

account for remote authentication

Activeprotection

File system

Registry

Network


Service Hardening

• Services are attractive targets for malware– Run without user interaction– Number of critical vulnerabilities in services– Large number of services run as “System”– Worms target services

• Sasser, Blaster, CodeRed, Slammer, etc…

IT Professionals IT ProfessionalsProblem: Shared Session 0• Services and user applications for console user run in the same

session (session 0)• Application windows in same session can freely send window

messages to each other.

A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging

IT Professionals IT ProfessionalsSolution: Session 0 Isolation

• No More Share Session 0– Session 0 is assigned exclusively to

services and the session is made non-interactive

– User applications run in session 1 and higher

– Services are isolated from user applications to avoid attacks

14

IT Professionals IT ProfessionalsProblem: Privilege issue• Services automatically gain all privileges of account

they are running in• Services cannot specify set of privileges required• Lack of granular control

over privileges– Services run with unnecessary

high privileges

Local systemService:

Disk Manager

Garbage Collector

Privileges:

Load driver

Shut Down

Back Up

IT Professionals IT ProfessionalsSolution: Running With Least Privilege• Privilege stripping

– Enables a service to run with least privilege

• Use only required privileges– Express required privileges during service configuration

• SeBackupPrivilege, SeRestorePrivilege, etc.• ChangeServiceConfig2 API (sc.exe can be used as well)

– SCM computes union of all hosted service required privileges • Permanently removes unnecessary privileges from process token when service

process starts

– No privileges are added• Target account must support required privileges, e.g. a service in LocalService account

cannot get SeTCBPrivilege

IT Professionals IT ProfessionalsProblem: No Service Isolation

• Services do not have their individual identity– Identity of a service is tied up with account it’s running in– E.g. When Web Server is granted access to database, Time Server also gains

access to the database

`

Web Server

Database

Account:LocalService Account:LocalService

Time Server

IT Professionals IT ProfessionalsSolution: Service Isolation

• Service-specific SID– 1:1 mapping between service name and SID

– Use to ACL objects the service needs to allow access only to service-specific SID• Use ChangeServiceConfig2, sc.exe to control service SID• Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED

• Service-specific SID assigned at start time– When service process starts

• SCM adds service SIDs to process token– S-1-5-80-XXXXX-YYYYY

• SID enabled/disabled when service starts/stops

– Service SIDs are local to the machine


Network Access Restriction

– Service network restriction are implemented with per-service SIDs

– Server 2008/Vista firewall has been enhanced to support service network restriction

– Services can add firewall rule to specify communication protocol, ports and direction of the traffic• e.g. A service can add a rule to restrict its network access

on TCP port 10000 for outbound communication– Integrated firewall in Vista/Server2008 will block all

other type of network access

19


Read-Only Domain Controller

Main Office Branch Office

FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation

BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed

RODC

IT Professionals IT ProfessionalsSo how can we deploy a Domain Controller in this environment?!


RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion

Admin Role Separation

Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC

Passwords not cached by-default

No replication from RODC to Full-DC

1-Way Replication

Attack on RODC does not propagate to the AD

RO

D C

Read-Only Domain Controller

IT Professionals IT ProfessionalsRODC – Attacker “experience”

Let’s intercept Domain Admin credentials sent

to this RODC

With Admin role separation, the Domain Admin

doesn’t need to log-in to me.

Let’s steal this RODC

By default I do not have any secrets

cached.I do not hold any

custom app specific attributes either.

Let’s tamper data on this

RODC and use its identity

I have a Read-Only database. Also, no

other DC in the enterprise

replicates data from me.

Damn!

Attacker RODC

RO

D C

IT Professionals IT ProfessionalsRead-Only Domain ControllerHow it works?

2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated

1.Logon request sent to RODC

1

2

34

5

6

6

7

7

BranchHUBFull DC RODC

IT Professionals IT ProfessionalsRead-Only Domain ControllerRecommended Deployment Models

• No accounts cached (default)– Pro: Most secure, still provides fast authentication and

policy processing– Con: No offline access for anyone

• Most accounts cached– Pro: Ease of password management. Manageability

improvements of RODC and not security. – Con: More passwords potentially exposed to RODC

• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and

maximizes security for other– Con: Fine grained administration is new task


Demo

Read-Only Domain Controllers

IT Professionals IT ProfessionalsFine-Grained Password PoliciesOverview

• Granular administration of password and lockout policies within a domain

• Usage Examples:–Administrators

• Strict setting (passwords expire every 14 days)

–Service accounts• Moderate settings (passwords expire every 31 days, minimum

password length 32 characters)

–Average User• “light” setting (passwords expire every 90 days)

IT Professionals IT ProfessionalsFine-Grained Password PoliciesAt a glance

• Policies can be applied to:–Users–Global security groups

• Does NOT apply to: –Computer objects–Organizational Units

• Multiple policies can be associated with the user, but only one applies


Password Settings Object PSO 1

Password Settings Object PSO 2

Precedence = 20

Applies To Resultant

PSO = PSO1

Fine-Grained Password PoliciesExample

Precedence = 10

Resultant PSO = PSO1

Applies To

Applies To


1

RemediationServers

Example: Patch

Using Network Access Protection

RestrictedNetwork

1

WindowsClient

2

2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)

3

3 Network Policy Server (NPS) validates against IT-defined health policy

4

If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)

Not policy compliant

5 If policy compliant, client is granted full access to corporate network

Policy compliant

NPSDHCP, VPN

Switch/Router

4

Policy Serverssuch as: Patch, AV

Corporate Network5

Client requests access to network and presents current health state

IT Professionals IT ProfessionalsNAP - Enforcement OptionsEnforcement Healthy Client Unhealthy Client

DHCP Full IP address given, full access Restricted set of routes

VPN (MS and 3rd Party) Full access Restricted VLAN

802.1X Full access Restricted VLAN

IPsec

Can communicate with any trusted peer

Healthy peers reject connection requests from unhealthy systems

Complements layer 2 protectionWorks with existing servers and

infrastructureFlexible isolation


Accessing the networkX

DHCP

Remediation Server

NPS

May I have a DHCP address?

Here you go.

HealthRegistration

Authority

May I have a health certificate? Here’s my SoH. Client ok?

No. Needs fix-up.

You don’t get a health certificate. Go fix up.

I need updates.

Here you go.

Yes. Issue health certificate.

Here’s your health certificate.

Client

IPsec-based NAP Walk-throughQuarantine

Zone

BoundaryZone

ProtectedZone


Thank you !

microsoft days 09 windows 2008 security

Technology

professionals services

professionals windows

professionals windows

professionals server

professionals solution

session session

professionals problem

professionals combinedrules