A Collection of Practical Security Techniques
Timothy “Thor” Mullen
Jeffrey W. Brown, Technical Editor
Acquiring Editor: Angelina Ward
Development Editor: Heather Scherer
Project Manager: Andre´ Cuello
Designer: Dennis Schaefer
Development Editor: Heather Scherer
Project Manager: Andre´ Cuello
Designer: Dennis Schaefer
 |
| Thor's Microsoft Security Bible |
Timothy Mullen is a Principal Security Architect for a worldwide, multibillion-dollar commerce
platform and is rumored to operate somewhere in the vicinity of Seattle, Washington.
Also known as “Thor,” he is the founder of the “Hammer of God” security co-op group. He
is a member of American Mensa, is a Microsoft Certified Trainer, has Microsoft Engineer certifications
in all remotely recent operating systems, and has been awarded Microsoft’s “Most
Valuable Professional” (MVP) award in Windows Enterprise Security four years running.
TECHNICAL EDITOR
Jeffrey W. Brown (CISSP-ISSMP, CISM, CRISC, PMP) is a senior information security professional
with more than 14 years’ experience defining and implementing enterprise security
programs to meet business, regulatory, compliance, and information security requirements
for top Fortune 500 companies. He is currently a Global Information Security Program Manager
at GE Capital, where he manages the development and implementation of global information
security and IT risk initiatives. His industry experience includes membership on advisory boards
and participation in industry associations including ISSA, ISACA, and The Technology Manager’s
Forum. He is also a governing member of the New York CISO Executive Summit. Jeff
was a member of the SANS Windows Security Digest Editorial Board and has been a participant
in several SANS Step-by-Step guides including Windows NT Security Step-by-Step and Securing
Windows 2000 Step-by-Step. He has been an author and contributor for several publications,
including Mission Critical Internet Security (Syngress), and holds a BA and an MS from Pace University.
Introduction
What is security? Is it a mindset? Is it a measurable and actionable posture or position? Or is it a
bit of both? People, as a race, learn from doing; they learn by example. Ingrained into our psyche
is a process that builds new information upon previous knowledge as we learn. As Isaac Newton
said, “If I have seen further than others, it is by standing on the shoulders of giants.” Basically,
we bring in a foundation of old information as we process new information.
But this does not always work in our favor, particularly in the area of technology. Technology
has a way of exposing the flaws in past ways of thinking by filling in the gaps between human
assumptions. Technology answers many of the questions that, frankly, were previously
answered by ad-libs. I think the relationship between science and religion also exemplifies this
quite well. As more technological advances are made, more things about the world that were
previously explained by divine intervention, or magic if you will, are demystified. The people
who came up with these answers were revered as some manner of guru and were held in a
position of regard. Some were indeed gifted and contributed to the well-being of others with
their insight and wisdom. And some were a bunch of jackleg gurus making up stories in the
absence of wisdom, insight, and altruism—or they were simply snake oil salesmen. My intent
is not to be prophetic, but rather to make the suggestion that we need to focus on making clear
distinctions between the lessons that history holds that provide true value to information security
(infosec) and the ones that are simply a bunch of crap.
A security strategy needs to plan for and respond to incidents as moving targets on a sliding
scale. Vectors and targets will change as technology changes, and as revenue sources for criminals
dry up, new ones will be scouted out. Attacks against users and modes of behavior in a
home-usage environment will migrate to mobile scenarios as both individuals and businesses
conduct more and more business via cell phone. But while the attacks change with the targets,
what remains constant are the fundamental building blocks of security, which I believe are
security in depth and least privilege. The reason for this is because I have been writing about
this subject for decades now and these two security concepts have remained as reliable and
dependable as they were years ago.
I think the security industry has been trending in a direction that is actually counterintuitive to its
raison d’eˆtre. It is getting further away from actual infosec and closer to the marketing of a threering
circus. Today, it seems to be all about flash and ego. If you look at any popular security
conference, the main theme is not actually security, but rather anti-security: how to hack this,
how to attack that, and how to break into whatever else. As time has gone on, the attacks have
become more convoluted and complex and even those attacks that have the least possibility of
occurring are now presented as everyday threats. It seems like presenters nowadays are not
showing you how to be more secure; they are showing you how brilliant they are. If they
can come up with some crazy method of doing something, then they must be geniuses, and as
such, you should buy whatever it is they are selling.
Researchers only want to find bugs and report them so that they get noticed, not because they are
“forcing companies to secure their products,” as is so often claimed. They want the issues they
find to be as bad as they can possibly be, and, in searching for the worst-case scenario, they often
overlook the simpler points of logic, like setting permissions on a vector to prevent exploitation.
For the most part, the content I now see being sold as sound security advice is pretty lame. The
most trivial of security issues are being portrayed as critical security vulnerabilities. One may
argue that it is this level of public scrutiny that has led the industry to be as secure as it is, and
there is some merit to that. However, the amount of really smart people seems to continually
shrink while the number of snake oilers is increasing.
To be fair, I have seen some really interesting, even fascinating, methods of attacking systems
that are amazingly clever; however, their application to real-world business is far removed. If
we use the circus analogy, it is like those acrobats who do handstands on each other’s heads
while flipping around and landing with a foot in each of the other guy’s hands. It is truly remarkable
and takes an incredible amount of practice and skill, but they are not really doing anything.
Sure, it is art and there is value in the entertainment, but at the end of the day from a production
standpoint, these guys have not created a single thing. It is, quite literally, all for show.
This is why I have always presented information security from a defensive point of view. Every
training event I have lead and every session I have presented was based on the concept of “do
this to protect yourself from that.” And to me, that is where the value is. I take five minutes of
someone’s time to show them a setting that will prevent the attacks illustrated in five hours
of ethical hacking training. It just seems like the natural way to approach things.
So, as funny as it may sound, not getting hacked is boring. Watching failed attack after failed
attack is not very interesting. And this is why security does not sell. Watching the acrobatics
creates as much security as an open door, yet we feel our money is well spent because it keeps
our attention. This book is about using the building blocks of security to improve your security
posture. It is about deploying solutions with security in depth in an environment of least privilege.
And it is about using what you already have to attain that security posture rather than
having to continue spending money on new security products. I wanted to approach this book
differently than other infosec books that focus on aspects of a single application, and I wanted to
present the material in a way different from the typical academic approach to writing. I think
I have accomplished both. For one, this book is in the first person—it is me talking to you. This
is basically a collection of ideas and methods that I have used to create security in a particular
way, and it comes naturally to me to deliver the information as if we were sitting across from
each other. To get the security points across, I use a word problem format and create various
business scenarios that we will need to figure out. This is more in line with how things work
in the real world. For instance, you do not just secure SQL Server. You can read about it
and practice it, but, in the end, you are really securing the process you have built around SQL
Server. So in these stories the plot is a business project we have been tasked with, and the characters
are different products and product features working together to get the job done.
It is important to understand that the stories are not just about the scenario, but, like other bibles
out there, they each carry a lesson. As you read about how to write a particular piece of code or
create a user in a particular way to do something specific, I would like for you to consider how
the same concepts could be applied to other things. By way of example, you will see a scenario
later in this book about logging firewall proxy data to a SQL server, and how the SQL server is
running in the context of a low-privileged user, and how to ensure that the connection is always
encrypted so the data integrity is guaranteed. While the project may be to create autonomous log
monitoring in order to automatically enforce access rules, you will be able to use the exact same
process to ensure data from any given application is encrypted in transit when logged to SQL.
In other words, there is always more to the story than the story itself.
Speaking of which, we will now cover a bit of what is actually in the book. In addition to the
chapters herein, you will have some video presentation of run-throughs from the book content
along with code samples and projects on the companion media. We shall cover a wide range of
topics, ideas, and processes here. I will illustrate how to create the autonomous traffic monitor
I wrote of earlier, how to compile and report on traffic from a country-by-country geolocation
standpoint, how to set up a secure external web proxy, how to cover RDP security, how to set up
remote security logging in a least privilege and secure way, and how to create and maintain
service users with associated tricks, traps, and more.
I try to present each story/project in a sequential manner, consistent with how you would build a
project when venturing out on your own. That is, I try to mimic the experience you might have
when trying to figure out things by yourself. I like the organic approach to solving projects
because many times certain aspects of a project do not make themselves known until you come
upon them. Of course, some of my opinions on life, the universe, and everything will also
be intertwined within. So I thank you for supporting the Hammer of God research facilities
by purchasing this book and, without further ado, let us begin.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 15,058 KB |
Pages
|
328 p |
File Type
|
PDF format |
ISBN
| 978-1-59749-572-1 |
Copyright
| 2011 Elsevier Inc |
Table of Contents
About the Author.......................... vii
Introduction.................................... ix
CHAPTER 1 Securely Writing Web Proxy Log Data to SQL Server
and Programmatically Monitoring Web Traffic Data in
Order to Automatically Inject Allow/Deny Rules into TMG
Introduction......................................................................................................2
Scope and Considerations ...............................................................................3
Implementation ................................................................................................5
Securely Logging Data to SQL.....................................................................10
Designing the Workflow ...............................................................................26
Execution .......................................................................................................29
Summary........................................................................................................46
CHAPTER 2 Internet Information Server (IIS) Authentication and Authorization
Models, and Locking Down File Access with EFS and WebDAV
Introduction....................................................................................................47
RSA and AES................................................................................................50
Building the Web Application Structure.......................................................59
Accessing Remote Files ................................................................................68
Security in Depth...........................................................................................77
Securing Access with WebDAV...................................................................88
Conclusion .....................................................................................................94
Summary........................................................................................................95
CHAPTER 3 Analyzing and Blocking Malicious Traffic Based on Geolocation
Introduction....................................................................................................97
Research and Due Diligence .........................................................................98
Implementing a Solution .............................................................................100
Integrating with TMG .................................................................................112
Summary......................................................................................................133
References....................................................................................................133
CHAPTER 4 Creating an Externally Accessible Authenticated Proxy in a Secure Manner
Introduction..................................................................................................135
Build It and They Will Come .....................................................................136
Summary......................................................................................................153
CHAPTER 5 The Creation and Maintenance of Low-Privileged Service Users
(with a Focus on SQL)
Introduction..................................................................................................155
Creating and Configuring Service User Accounts......................................157
Real, Quantifiable Password Strength, and How to Measure It.................178
Summary......................................................................................................189
References....................................................................................................189
CHAPTER 6 Remote Security Log Collection in a Least Privilege Environment
Introduction..................................................................................................191
Log Fetcher Architecture.............................................................................193
Accessing WMI...........................................................................................228
Show Me the Code!.....................................................................................238
Summary......................................................................................................248
CHAPTER 7 Securing RDP
Introduction..................................................................................................251
General RDP Attacks and Mitigation .........................................................253
RDP Solutions Overview ............................................................................257
Direct Access of Multiple RDP Hosts ........................................................259
RDG/TSG ....................................................................................................260
RDP Host Security ......................................................................................265
RDWeb and RemoteApp.............................................................................269
Workstation Host Considerations................................................................280
Limiting Access with Source Port Access Rules........................................285
Show Me the Code!.....................................................................................289
Summary......................................................................................................298
APPENDIX A List of Acronyms ........ 299
APPENDIX B Full List of Server 2008 Logs via the WEVTUTIL Tool ........... 301
Index ...................... 311
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
