微淘公众平台推广营销方法详解

SecuringWindowsNetworksSecurityAdviceFromTheFrontLinePresentedbyRobertHensing–PSSSecurityIncidentResponseSpecialistAgendaRevealingHackerPersonasTopSecurityMistakesEveryoneSeemsToMakeSecuringWindowsNetworksStayingSecureSecureWindowsInitiativeSecurityImprovementsinXPServicePack2RevealingHackerPersonasOverview–RevealingHackersPersonasAutomatedvs.TargetedAttacksRevealingHackerPersonasLameSkilledSophisticatedWhyYOUWereSelectedandHowYouGot0wn3dHackerPersonasAutomatedAttacks“Spreaders”or“Scan’nSploitTools”or“auto-rooters”WormsThatDropBotsorTrojansTargetedAttacks0-dayExploitsCustomAttacksthatExploitWeaknessofYourInternetPresenceHackerPersonasLame-~75%ofallintrusionsMotive:WantsyourstorageandbandwidthMethod:Useofspreaders,bots,wellknownexploitsAbilities:LimitedhighlevellanguageabilityPayload:UsuallyFTPservers,backdoorsdisguisedasa‘clever’servicename“TCP/IP”serviceor“SystemSecurity”service“MicrosoftISAServerCommonFiles”serviceHackerPersonasSkilled-~24%ofallintrusions?Motive:Wantstoexploreyournetworkanduseyourstorageandbandwidth,wantstoavoiddiscoveryasmuchaspossible.Method:CustomizedintrusionbasedonidentifiedvulnerabilitiesformultipleoperatingsystemsorapplicationsAbilities:AdvancedHLL,someASMPayload:FTPservers,keyloggers,backdoors,sniffers,passworddumpersHackerPersonasSophisticated-<1%ofallintrusions?Motive:Wantsyourmoneyoryoursecret/confidentialdataMethod:Cancustomizeintrusionbasedonanynumberofidentifiedvulnerabilitiesforavarietyofoperatingsystemsandapplications,possiblyusing0-dayexploitsAbilities:AdvancedHLL,AdvancedASMPayload:Rootkits,asinglebackdoorDLL,extortionletter!HackerPersonasWhyyouwereselectedandhowyougot0wn3d...Oddsaregreatyouwere0wn3dbyalamerYouwereeasilyidentifiedasaWindowshostthroughasimpleport-scan(nofirewall)Youareonabigfatpipe(possiblyhosted)YouhaveweakpasswordsormissingsecuritypatchesduetomissingorineffectivesecuritypolicyDemonstrationWindowsRootkit–HackerDefenderTopSecurityMistakesEveryoneSeemsToMakeTopSecurityMistakesWeakornon-existentpasswordpolicyNoauditpolicySporadicsecuritypatchpolicyPatchingtheOS,butnottheappsWeakornon-existentfirewallpolicyNoegressfilteringNoknowledgeofsecurelybuildinganewboxwhichleadstoHacked?Rebuild!HackedAgain!?HowToEndTheCycleofViolenceInstallfromslipstreamedsourceDon’’thaveone?Makeone!Patchorenableahostbasedfirewall(orboth)andthenconnecttothenetworkDon’’tusethepreviousadminpasswordIncludingtheSQLSApasswordDon’tsharelocaladminpasswordsacrossOSinstallationsLeadstoexploitonce,runeverywherePatchtheapplications(SQL,IIS,Exchangeetc.)SecuringWindowsNetworksOverview––SecuringWindowsNetworksSystemAdministratorPersonasAnexampleofwhatnottodoThreats&Countermeasures–PruningTheLowHangingFruitSystemAdminPersonasDefaultSkilledSophisticatedSystemAdminPersonasDefaultPutsserversrightontheInternetwithnofirewallRunsacoupleservicepacksbehind(N-2)anddoesn’tknowhowtokeepuptodatewithsecuritypatchesNopasswordpolicyNoauditpolicyAlldefaultconfigurationsandsettings(alldefaults,allthetime)SystemAdminPersonasSkilledUsesInternetIP’s,buthasrouterACL’sLatestOSSP,allOScriticalupdates,hasn’tpatchedtheapplicationsinawhileifatall6characterpasswordswithaccountlockoutsOnlyauditslogoneventsandmonitorsforaccountlockoutsbycheckingeventlogsperiodicallySuspiciousofdefaultsettingsPerformedsomeOShardeningbyhand––didn’’thardentheapplicationsthoughSystemAdminPersonasSophisticatedUsesafirewallwithNATandingress/egressfilteringUsesanIDS/IPSintheDMZnetworkEnsurescriticalsecuritypatchestestedanddeployedin24hourswithrollbackplan12characterpasswords,notsharedanywhere,noaccountlockout,mayuse2-factorauthNAuditseverything,archivesauditlogsdailyHardenedOSusingsecuritytemplates/grouppolicy,hardenedapplicationsWhatNotToDo...ConfigureyoursystemwithanInternetroutableIPaddressRunmultipleapplications/servicesononeboxActiveDirectory,IIS,SQL,Exchange,PCAnywhere,3rdpartysoftwareAvoidinstallingpatchesDon’thaveapasswordpolicyWhataretheoddsthatsomeonewouldguess‘666’ismyadminpassword?Ifyoudothis,here’’swhatthehackerssee...Threats–LowHangingFruitOverviewNULLSessionEnumerationPassword/AccountLockoutAttacksPasswordHashAttacksRemoteCodeExecutionVulnerabilitiesPhysicalAttacksUnauthorizedNetworkAccessTheVPN“firewallbypass”ServerThreat-NULLSessionEnumerationUnderstandingthe‘NULL’userNetworkconnection,usuallyusingNetBIOSTCP139inwhichnocredentialshavebeenpassed.Networktokengetscreatedontheserverfortheclient,‘Everyone’SIDgetsaddedtothetokenTokencannowenumeratesensitiveinformationusingtheNet*API’sthe‘‘Everyone’SIDhaspermissionsto!CountermeasuresRestrictAnonymous=2BlockaccesstoTCP139/445StopserverserviceThreat–PasswordAttacks/AccountLockoutAttacksAnyservicesthatexposesauthNprotocolsareatriskforpasswordguessingattacksNetBIOS,SMB,RDP,IIS,FTPetc.CountermeasuresUsestrongpasswordsinsteadofanaccountlockoutpolicy(whichonlyprotectsweakpasswords)Educateadministratorsandusersonhowtocreatestrongpasswords.Blockaccesstoportsthatallowauthenticationfromunauthorizednetworks(i.e.theInternet)withafirewallorIPSecportfilteringpolicyShutdownun-neededservices(Serverservice,FTPserviceetc.)Threat–PasswordHashAttacksOnlineattacksDumpingpasswordhashesfromLSASSwhiletheoperatingsystemisrunningPwdump*.exe,L0phtCrack5CountermeasureRequire2-factorauthenticationPreventmaliciouscodefromrunningincontextofadministratororSYSTEMSincethisattackrequireselevatedprivileges,anystepstakentocounterthiscanbeun-donebythecoderunningwiththeseelevatedprivilegesArrivingatthispointmeansyoursecurityposturehasfailedelsewhereandyouhaveothersecurityissuestodealwithThreat–PasswordHashAttacksManIntheMiddleAttacksSniffingshared-secretauthenticationexchangesbasedonauserspasswordbetweenclient/server(LM,NTLMv2,Kerberos)EveryoneseemstothinkKerberossolvedtheMITMpassword-crackingattack!Itdidnot,pertheKerberosv5RFC:"Passwordguessing"attacksarenotsolvedbyKerberos.Ifauserchoosesapoorpassword,itispossibleforanattackertosuccessfullymountanofflinedictionaryattackbyrepeatedlyattemptingtodecrypt,withsuccessiveentriesfromadictionary,messagesobtainedwhichareencryptedunderakeyderivedfromtheuser'spassword.Threat–PasswordHashAttacksManIntheMiddleAttacksToolsavailableforLM/NTLMandKerberosv5ScoopLM/BeatLM/Kerbcrack/LC5SecurityFridaydemonstratedNTLMv2atBlackhatona16-nodeBeowolfclusterin2002!Allresearchersagreethesolutionisstrongpasswords!CountermeasuresUse2-factorauthenticationonWindows2000andlaternetworksAllowstheuseofthePKINITKerberosextensionwhichreplacespasswordswithpublic/privatekeysforinitialTGTatlogonUsestrong10characterorgreaterpasswordsUseIPSecESPtoencryptnetworkallnetworktrafficUse802.1xauthenticationtokeeprogueusersoffyournetworkThreat––PasswordHashAttacksAssumepasswordhasheswilleventuallybeobtainedallowingBrute-forceattacksDictionaryattacksHybridattacks(useadictionarywordthenbrute-forceafewchars)Pre-computationattacks(rainbowtables)––thelatestcraze...L0phtCrack5utilizesallthesemethodsforcrackinghashesCountermeasuresDon’tworryaboutyourhashesbeingstolen––makethemimmunetoreversinginanyreasonableamountoftime!Use10characterorstrongercomplexpasswordsOrbetteryetpass-phrases!NTbasedoperatingsystemssupport128characterpass-phrasesChangethemevery60daysorless.Minimumtimebeforepasswordcanbechanged1dayNumberofpreviouspasswordsremembered:atleast24Threat––PasswordHashAttacks667891011PasswordLength60DayPasswordsDatafromMicrosoftcalculationsbasedonPhillipeOchslin’salgorithmswitha1TerabyteRainbowCrackdatabase(researchthatisthebasisforthenewattack).Threat–PasswordHashAttacksThreat-RemoteCodeExecutionRCEvulnerabilitiesinexposednetworkservicesallowmaliciousattackerstoruncodeoftheirchoiceonaremotesystemStack&HeapoverflowsIntegerunder/overflowsFormatstringvulnerabilitiesCountermeasuresDisableunnecessaryservicesBlockunnecessaryportsInstallallcriticalsecurityupdateswithin24hoursWritesecurecode.Runcriticalservicesusingthenewbuilt-inlow-privilegedaccountsCompileC++codewiththeVC7compiler/GSswitchUsebehavioralblockingsoftwareSanaSecurityProductsUseIntrusionPreventionSystemsThreat–PhysicalAttacksAssumetheworst––physicaltheftofmachineCountermeasuresSYSKEYinmode2or3Keystoredinyourhead(mode2)Keystoredonafloppy(mode3)Protectspasswordhasheswith128bitsymmetricencryptionEithermodeprevents‘‘Nordahl’boot-diskattackAlsopreventstheDSRestoremodestyleattacksEFSCanbeusedtoencryptsensitiveinformationThreat–UnauthorizedNetworkAccessAppliestobothwiredandwirelessnetworksUnauthorizeduserconnectsorassociateswithnetworkandreceivesIPaddressStartsscanning,enumeratingandhackingCountermeasureUse802.1xtoauthenticatenetworkclientsbeforeallowingthemtousethenetworkPort-basedauthentication(requiressupportinghardwareinfrastructure)Threat–VPNServersVPNserversusuallyallowusersun-filteredaccesstothecorporateintranetUserscontaminatetheintranetwithmalwarethey’’vecollectedwhilesurfingtheInternet(worms,etc.)CountermeasureEmployanetworkquarantinesolutionQuarantinesVPNusersinaDMZnetworkwhilemachineischeckedforsecuritypolicycomplianceAftermachinechecks,packetsareroutedIfmachinefailscheck,connectionisdroppedCountermeasures-SummaryThevastmajorityofsecuritythreatscanbefullymitigatedbydoingtwothingswell:PasswordsSecurityupdatesSecurityshouldnotbe‘‘boltedon’’DesignsecurityintothesolutionfromthebeginningMicrosoftSolutionsforSecurityWindowsServer2003SecurityGuideThemeGroupPolicycanbeusedtoautomatetheapplicationofsecurityhardeningandthreatcountermeasuresthroughtheuseofpre-definedsecuritytemplatesappliedtoGPO’’sAutomated––policyappliedasmachinesjointhedomain/movedintoorganizationalunitsTheWindows2000andWindowsServer2003SolutionsforSecuritycomewithpre-configuredreadytodeploytemplatesObviouslyyoushouldtestthembeforedeployingtheminaproductionenvironmentTheyWILLbreaksomethingWindowsServer2003SecurityGuideProvides3differentsecuritylevelsfortheenterpriseLegacyClient(CompatiblewithWin9x–XP)EnterpriseClient(Compatiblewith2000&XPonly)HighSecurityClient(Compatiblewith2000&XPonly)DemonstrationSecuringWindowsServersusingGroupPolicyStayingSecureOverview–StayingSecureAwarenessSecurityAlertNotificationServicesVulnerabilityAssessmentRespondingtoSecurityEventsPatchWarfare–Thursday,Tutorial6IncidentResponse–Thursday,Tutorial6StayingSecureStayingSecureVulnerabilityAssessmentMicrosoftBaselineSecurityAnalyzer1.2LocalorRemoteVulnerability&PatchscannerScansforWindows,IE,IIS,SQL,MSDE,Exchange,Office,Commerce,Biztalk,SNA,andHISvulnerabilities/patches.English,German,FrenchorJapanesebuilds!StayingSecureMBSAPro’sandCon’sPro’sFreeGreatproductcoverageAgent-lessCon’sRequiresAuthenticationwithremotemachineandtheRemoteRegistryandServerServicesSlowwhenscanninglargenetworksNoeasywaytoaggregateXMLoutputStayingSecure3rdPartyvulnerabilityassessmentsoftwareISSInternetScanner––SystemScannerFoundstoneFoundScanMuchmorein-depththanMBSA1.2SecureWindowsInitiativeSecureWindowsInitiativeMicrosoft’sNewSecurityCultureStartedwithBillGatesTrustworthyComputingMemoLeadtoSD3+CSecureByDesign,SecureByDefault,SecureinDeployment+CommunicationsSecureWindowsInitiativeWindowsServer2003firstproducttoresultfromSWI,makesuseofmanyAttackSurfaceReductions(ASR’’s)SecurebyDefault60%lessattacksurfaceareabydefaultcomparedtoWindowsNT4.0SP3ServicesoffbydefaultServicesrunatlowerprivilegeCodereviewsIISre-architectureThreatmodels$200MinvestmentSecurebyDesignCommunicationsSecurebyDesignCodereviewsIISre-architectureThreatmodels$200MinvestmentSecureinDeploymentConfigurationautomationIdentitymanagementMonitoringinfrastructurePrescriptiveguidanceCommunityinvestmentArchitecturewebcastsWritingSecureCode2.0SecureWindowsInitiativeSD3+CSecureWindowsInitiativeDoesSWIwork?Let’shavealook...MS03-007,vulnerabilityexploitedthroughIIS5.0+WebDAVWS2003/IIS6notaffectedbecause:IIS6notinstalledbydefaultIfitwasinstalled,WebDAVdisabledbydefaultIfitwasenabled,IIS6rejectslongURL’sbydefaultIfitdidn’trejectlongURL’s,BOwouldoccurinlowprivilegeprocessnotaprocessrunningasSYSTEMSecureWindowsInitiativeArethereotherexamples?MS04-011,fixes14WindowsvulnerabilitiesOfthese14vulnerabilitiestheLSASSandPCTvulnerabilitiesarecriticalonWindows2000andexploitswereinthewilddaysafterthepatchwasreleased!SecureWindowsInitiativeThesevulnerabilitieswereratedas‘‘Low’’onWindowsServer2003––why?AttackSurfaceReductions(ASR’’s)asaresultofSWIPCTisnotenabledbydefault!LSASSvulnerabilitynotremotelyexploitablebydefault!SecureWindowsInitiativeWantmore?Comingsoon:SecureServerRolesforWindowsServer2003TaskbasedsecuritywizardtofurtherautomatehardeningWS2003serverrolesWindowsXPServicePack2Themostsecureconsumeroperatingsystemtodate!SecurityImprovementsinXPServicePack2SecurityImprovementsinXPSP2OverviewNetworkProtectionTechnologiesMemoryProtectionTechnologiesSaferE-MailSaferBrowsingWindowsInstaller3.0NetworkProtectionTechnologiesAlerter&Messenger––GONE!(Okay,disabled)UniversalPlug&PlayalsodisabledbydefaultBluetoothnetworkstackincludedbydefaultDisabledunlessWHQLBluetoothdeviceispresentNetworkProtectionTechnologiesDCOM––Lockeddownbydefault!Previously,nowayforadministratorstoenforcemachine-wideaccesspolicyforallDCOMapplicationsXPhasover150DCOMserversOOB!ManyDCOMapplicationshaveweak“Launch””and““Access”permissionsthatallowanonymousremoteactivation/access!Administratorshadnowaytocentrallymanage/overridethesesettings!NetworkProtectionTechnologiesDCOMSolution:Machine-wideaccesscheckperformedbeforeanyserver-specificaccesschecksareperformed.StartingwithXPSP2,onlyadministratorscanremotelylaunch/activateDCOMservers!Everyoneisgrantedlocallaunch,activationandcallpermissionsNetworkProtectionTechnologiesRPC–Lockeddownbydefault(RPCInterfaceRestriction)PreviouslyRPCinterfaceswerewideopenforanonymousaccessSP2addsRestrictRemoteClientssettingandenablesitbydefaultRequiresallremoteRPCclientstoauthenticateTheEPMnowrequiresAuthNMustsetEnableAuthEpResolutionto1onclientstogettheEPMworkingagain.NetworkProtectionTechnologiesWindowsFirewall(thesoftwareformerlyknownasICF)BoottimesecurityOnbydefaultforallinterfaces,globalconfiguration(allinterfacescansharesameconfiguration)LocalsubnetrestrictionCommandlinesupport(vianetsh)forscriptomaticconfiguration(thinklogonscripts)“Onwithnoexceptions”ExceptionListMultipleProfilesRPCSupportRestoreDefaultsUnattendedSetupforOEM’sMulticast/BroadcastsupportNewandimprovedGroupPolicyconfiguration(viaSystem.adm)MemoryProtectionTechnologiesIntroducingDataExecutionProtection(NX)Bufferoverflowsusuallyplace‘‘shellcode’onthestackorintheheapandcauseexecutiontojumptothislocationNXmarksareasofthestack/heapasnon-executablepreventingthismal-codefromrunningUsermodeappsthatattempttoruncodewillAVKernelmodedriversthatattempttoruncodewillbluescreenSupportedonAMD64,IA64andforthcomingx64IntelCPU’sforboth32bitand64bitWindowsXPMemoryProtectionTechnologies/GSStackbasedbufferoverflowprotectionPlaces‘canary’valueonthestackbefore/afterstackallocationsValueischeckedwhenvaluesarereadfromthestacktomakesurethestackhasn’’tbeenoverwrittenIfcanaryvaluehaschanged,processcrashesvs.allowingcodetoexecuteSaferE-MailOutlookExpresswillreadalle-mailasplain-textbydefaultBlocksHTMLe-mailexploits“Don’tdownloadexternalHTMLcontentIfyouchosetorenderHTMLe-mail,externalHTMLisnotrendered/downloadedBlocks“webbugs””etc.AESAPI(AttachmentExecutionService)Appsnolongerhavetorolltheirownattachmenthandlingcode(canbesharedbyIM,e-mailetc)SaferBrowsingInternetExplorerAdd-OnManagement/CrashProtectionBinaryBehaviorslockeddownnowOptionappearsineachzoneforconfiguringBindToObjectmitigationActiveXsecuritymodelnowappliedtoURLbindingMicrosoftJavaVMcanbedisabledperzoneLocalMachineZonelockdownAlllocalfiles/contentprocessedbyIEruninLMZNoActiveXobjectsallowedScriptssettoPromptBinaryBehaviors––disallowedNoJava!SaferBrowsingInternetExplorerImprovedMIMEhandling4differentchecksperformed(fileextension,Content-Type/DispositionfromheaderandMIMEsniff)Objectcaching/ScopeObjectslosescopewhenbrowsingtoadifferentdomain/FQDNSitescannolongeraccesscachedobjectsfromothersitesPOPUPBLOCKER!!!!!“NevertrustcontentfromPublishername”OnePromptPerControlPerPageEndlessloopattackSaferBrowsingInternetExplorerAuthenticodeDialogboxsupportsellipsesAnnoyingActiveXcontrolswithoverlylongdescriptionscannowbeviewedWindowRestrictionsPreventsUIspoofingattacksScriptSizing/RepositioningrestrictionsPreventsscriptsfrommovingwindowstohideURLbars/statusbarsetcStatusbaralwaysvisibleScriptscannolongerdisableitSaferBrowsingInternetExplorerScriptPop-upWindowPlacement,pop-upsnowconstrainedsothattheyDonotextendabovethetoporbelowthebottomoftheparentInternetExplorerWebObjectControl(WebOC)window.AresmallerinheightthantheparentWebOCwindow.Overlaptheparentwindowhorizontally.Staywiththeparentwindowiftheparentwindowmoves.Appearaboveitsparentsootherwindows(suchasadialogbox)cannotbehidden.MitigateschromelesswindowattacksSaferBrowsingInternetExplorerZoneElevationblocksInternetExplorerpreventstheoverallsecuritycontextforanylinkonapagefrombeinghigherthanthesecuritycontextoftherootURLScriptscannotnavigatefromInternetZonetoLocalMachineZoneANDLocalMachineZoneislockeddownbydefaultnowevenifitcouldhappen!ZoneElevationAttacksareoneofthemostexploitedIEattackvectorsWindowsInstaller3.0ImprovedinventoryfunctionsacrossuserandinstallationcontextsSupportforbinarydeltacompressionMakespatchessmaller/quickertodownloadPatchSequencingAuthorscanprovideexplicitinstallationorderSupportsWinHTTP(vs.WinInet)forwebdownloadsNolongerinteractiveRunsasSYSTEM,InteractiveSYSTEMservicescanbe““shattered”Demonstration(timepermitting)OutofBoxExperienceAutomaticUpdatesSecurityCenterWindowsFirewallRPCHardeningInternetExplorerAdd-onsManager©2003MicrosoftCorporation.Allrightsreserved.Thispresentationisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISSUMMARY.Soarewethereyet?We’’regettingthere,staytuned...9、静夜夜四无无邻，，荒居居旧业业贫。。。12月月-2212月月-22Saturday,December31,202210、雨中中黄叶叶树，，灯下下白头头人。。。11:32:1911:32:1911:3212/31/202211:32:19AM11、以我我独沈沈久，，愧君君相见见频。。。12月月-2211:32:1911:32Dec-2231-Dec-2212、故人人江海海别，，几度度隔山山川。。。11:32:1911:32:1911:32Saturday,December31,202213、乍乍见见翻翻疑疑梦梦，，相相悲悲各各问问年年。。。。12月月-2212月月-2211:32:1911:32:19December31,202214、他乡生生白发，，旧国见见