Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Expert Reference Series of White Papers
1-800-COURSES www.globalknowledge.com
The 10 MostDangerous Risks toMicrosoft Security
 
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2
The 10 Most Dangerous Risks toMicrosoft Security
Royce Howard, MCSA, MSCE, MCITP-Server Admin, Enterprise Administrator
Introduction
Security has always been an important part o any IT inrastructure. As technology progresses, it’s a sae betthat there will always be people who will try to inltrate your network to do their malicious deeds. As securitytechnology improves, so do the skills o these notorious hackers. But what can we do to protect ourselves romthese threats? This white paper has tips to help improve your awareness o some o the more important risksthreatening your Microsot inrastructure.
1. Physical Attacks
Let’s start with the most basic attack. A physical attack on a computer can be a daunting thing. Suppose some-one actually has physical access to a machine, and they wish to obtain data rom it. With heightened awarenesso password security, things are a little better. However a determined hacker can easily get to inormation thatis stored on a machine whether it be a stand-alone client or a ull-blown domain controller. Some obvious bestpractices include making sure that no one has physical access to any o your servers. Hopeully, most organiza-tions running a back-end SAN will have whatever room the servers are located in under lock and key. Physicalattacks can also include an attacker coming in with an external hardware device like a usb drive and inltratinga system that way.Thankully, Microsot has supplied us with group policy settings so we can set a policy in place that prohibits theuse o any type o external storage device. With the advent o Microsot Server 2008, Microsot has also givenus Read Only Domain Controllers (RODC), and this helps tremendously as ar as networks are concerned. Be-cause o the unilateral replication, i any o the structure is changed or manipulated, it ensures that the changeswon’t be replicated out to the rest o the network, not to mention the choice o which account credentials willbe cached.We were also given the new BitLocker eature to help protect sensitive data. BitLocker Drive Encryption is aull disk encryption eature included with Vista Ultimate and Enterprise as well as the new Windows 7 andServer 2008. It’s designed to protect data by providing encryption or entire volumes. It uses the AES encryptionalgorithm in CBC mode with a 128 bit key. However, as with anything else in terms o security, hackers ound awork-around.Back in February o 2008, a straightorward cold boot attack was discovered. This basically allows a machinethat is protected by BitLocker to be compromised by booting the machine o o a USB device into another OS
 
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3
and then dumping the contents o the pre-boot memory. The attack relies on the act that DRAM retains inor-mation or up to several minutes ater the power has been removed. I cooled, it can buy the attacker even moretime. This takes away any protection because the keys are held in memory while Windows is running. BitLockercan also operate in a sort o “USB Key” only mode. O course, anyone using this method better be sure thatthe key is never let with the computer. There is also the possibility that a malicious program, like a pre-boot orpost-boot malware program, could read the startup key o o the USB key and store it. It’s always a good ideato remove the USB key rom the USB port beore Vista completely starts.
2. Password Policies
When talking about password policies, we oten think o complexity requirements. This can include numbero characters, type o characters (letters, upper-case, lower-case, numbers, and special characters), how otenthe password should be changed, and ailure threshholds. Any password policies not using Kerberos are usingNTLanman, which uses 56-bit DES encryption, and that’s really weak. Unless you happen to be running any NTboxes in your network, you can rest easy knowing that Kerberos authentication, with it’s Advanced EncryptionStandard (AES), is at work or you. However, one thing that can oten be overlooked is that any password thatis less than 15 characters long is automatically stored in backup with an NTLanman backup hashle.Taking this into consideration, it’s easy to realize why you might want to have a password policy that requires apassword o over 15 characters. So instead o a password, have your users come up with a passphrase instead.You might even consider having your users change the password every 90 days instead o every month becauseit cuts down on the chance that the user might write down their password. From a security standpoint, anypasswords that are written down or someone else to possibly see are a potential hazard.
3. Privileged Accounts and Social Engineering
Let’s say that you’re the network admin at your organization. You have ull domain rights and privileges. You goto install a new vulnerability scanner that your riend Bob recommended to you (so you know it’s rom a saesource, right?). Unbeknownst to you, the program actually has a series o simple net commands that are runningin the background that create a new domain account, change your password, and a ew other things that makeyou cringe in retrospect. How could this have happened? Ater all, you’re certain that your anti-virus sotwareis up to date. The problem with this scenario is that it has nothing to do with a virus. According to the system, itwas you who created the new admin account and changed your own password.Over the years, the game in security has changed rom “Can I guess your password?” to “How can I get youto run something while you’re signed on with your privileges?” Because o the way that security works withinMicrosot, as soon as you login with an account that has administrative privileges, you possess a “token” thatgives you access to those privileges. Whether it be establishing rapport and good credibility with Bob and thenoering him a new vulnerability scanner to try at work or setting up a web site with dirty active x controls, at-tackers can get pretty creative in how they try to accomplish this.Microsot has been telling us or years not to login with an account with administrative privileges and go websurng, and checking our e-mail. Hence the “run as” eature that was so kindly given to us. While working withan account with non-admin rights, i we need to install a program, we can right-click and choose “run as” and
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more