Post on 27-Dec-2015
The Ten Immutable Laws of Microsoft SharePoint Security
Rick TaylorSenior Technical ArchitectPERFICIENT
OSP201
Who Am I?
Who am I???
The Guardian of Lost SoulsThe PowerfulThe Pleasurable
The IndestructibleRick Taylor
Slick Rick – if you’re nasty
Agenda
The OSI ModelAttack SurfacesBest Practices at securing each layer
What’s the point?
Security is more than just AuthN/AuthZSecurity is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )In Security, the WHY is more important than the HOW
A Word about Security• Security and complexity are often inversely proportional. • Security and usability are often inversely proportional. • Security is an investment, not an expense. • "Good enough" security now, is better than "perfect" security ...never• There is no such thing as "complete security" in a usable system. • A false sense of security is worse than a true sense of insecurity. • Your absolute security is only as strong as your weakest link. • Concentrate on known, probable threats. • Security is directly related to the education and ethics of your users. • Security is not a static end state, it is an interactive process. • There are few forces in the universe stronger than the desire of an individual to get his or
her job accomplished. • You only get to pick two: fast, secure, cheap.• In the absence of other factors, always use the most secure options available. • Security ultimately relies - and fails - on the degree to which you are thorough. People don't
like to be thorough. It gets in the way of being done.
What is the OSI Model?
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
What is Layer 1
Defines electrical and physical specifications Defines relationship between a device and its medium (Copper,
optical, radio, etc)
Layer 1 Attack Surfaces
The mediumCableAir
The hostVia KeyboardVia conduit (RDP host)
Securing Layer 1 - continued
LocksCages
LAW #2 - If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
What is Layer 2?
SublayersMedia Access Control (MAC)Logical Link Control (LLC)Application Protocol Convergence (APC)
ProtocolsARPPPP
How data is transferred from node to node across a network.
Layer 2 Attack Surfaces
Wireless Access PointsWardriving
HubsBroadcasting (rare)
Switches (ARP)Man-in-the-Middle Attacks
Securing Layer 2
Wireless Networks Sniffers ARP flooding
Securing Layer 2 - continued
Strong passwords on wireless routersStrong encryption on wireless networksUse ARP Defense software/hardwareUse DHCP Snooping
Track the physical location of hosts.Ensure that hosts only use the IP addresses assigned to them.Ensure that only authorized DHCP servers are accessible.
Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone
What is Layer 3?
Performs network routing functions3 sublayers:
Subnetwork AccessSubnetwork Dependent ConvergenceSubnetwork Independent Convergence
ProtocolsIP
ServicesICMP
Layer 3 Attack Surfaces
Unused Open PortsCommonly Open PortsPacket inspection
Enumerating Shares
Enabling IPSec via GPO
Benefits of IPsec
IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured networkIPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network
• IPsec has two goals: to protect IP packets and to defend against network attacks
• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other
• IPsec secures network traffic by using encryption and data signing
• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated
Securing Layer 3
Prevent ICMP abuseDDoSAdd “no ip directed-broadcast” to the router (Smurf bounce)Drop (disable) ICMP - *maybe* to prevent malware from “Phoning Home”
Use IPSecUse Network Policy Processing
Network Policy Processing
Are there policies to process?
START
Does connection attempt match policy conditions?
Yes
Reject connection attempt
Is the remote access permission for the user account set to Deny Access?
Is the remote access permission for the user account set to Allow Access?
Yes
Yes
NoGo to next policy
No
Yes
Is the remote access permission on the policy set to Deny remote access permission?
Does the connection attempt match the user object and profile settings?
No
Yes
Accept connection attempt
Reject connection attempt
No
Yes
No
No
Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore
What is Layer 4?
Responsible for reliable communication between endpointsProtocols
Connection-OrientedTCP
ConnectionlessUDP
Layer 4 Attack Surfaces
The operating system (OS Fingerprinting)
Securing Layer 4
Use routers between network segmentsUse private IP addresses on internal networkUse SSLPEN test your networkEnable “Fingerprint Scrubbing” on routers
Securing Layer 4 - continued
Alter the OS kernelChange the default IP time-to-liveChange the initial TCP window size
Modify network-related registry entries
Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more
What is Layer 5?
Responsible for connections between hostsEstablish, Manage, TerminationCheckpointing
ProtocolsRemote Procedure Calls (RPC)
Layer 5 Attack Surfaces
Session hijackingDNS PoisoningDDoS
Quick Test
Step 1 Browse to http://bad.ketil.froyn.name/Step 2 Browse to http://www.example.comIf you see a link to RFC 2606 you are safe.If you see a page saying POISONED…update your resume…jk
Securing Layer 5
Choose your authentication protocols wiselyLess secure protocols maybe be tunneled through more secure protocols
Configure DNS correctlySpecify IP address of authorized DNS servers
What is Layer 6?
Presentation = TranslationResponsible for representing data in different formatsResponsible for serialization of objects to and from XML
Layer 6 Attack Surfaces
NetBIOSSMBIPC$
Securing Layer 6
Lock down Null Session capabilityFor Clients:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous0 – Default setting.1 – Null session can not be used to enumerate shares or user names
For ServersHKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous0 – Default setting. Null sessions can be used to enumerate shares1 – Null sessions can not be used to enumerate shares
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM0 – Null sessions can enumerate user names1 – Default setting. Null sessions can not enumerate user names
Law #6: Absolute anonymity isn't practical, in real life or on the Web
What is Layer 7?
Top layer of OSI modelInterfaces directly with applications and their processes.Most of us focus primarily (if not exclusively) at this layer
Layer 7 Attack Surfaces
DNSFTPSMTPTelnetSQLEtc, etc, etc
Securing Layer 7
Use GPO policies to block software installationUse GPO policies to prevent misuse of accountsUse NAP to enforce access policiesUse IPSec to secure host to host and host to server communicationsFollow Best Practices for securing service accounts
Law #7: Weak passwords trump strong security
Law #8: A computer is only as secure as the administrator is trustworthy
Service AccountsFarmSetupApplication PoolSQL
SharePoint Service Accounts
SQL Server Service AccountSharePoint Setup User AccountSharePoint Farm Service Account
SharePoint Service Accounts
Fewest is bestLeast Privilege is bestSome rights will change (and not all are “Service” accounts)
Law #9: Your infrastructure is as strong as your weakest link
Law #10: Technology is not a panacea
10 Immutable Laws of Security
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyoneLaw #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the WebLaw #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest linkLaw #10: Technology is not a panacea
Thank you for attending!
Please be sure to fill out your session evaluation!
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile