Speech title

1
Secure Infrastructure
2
Software Restriction Policies
3
Motivation

• Remote Explorer, ILOVEYOU
• wake up call
• New kinds of viruses
• Virus writers showing very high level of skill
• Targeting specific MS applications
• Began analyzing virus attacks
• Everyone runs as admin
• Running untrusted code
• Social engineering

4
Supported Platforms

• Windows XP and Windows Server 2003 only
• All SKUs (home, pro, server, on up)
• Use in a domain
• If mixed environment, W2K clients ignore the
  policy
• Use standalone
• replacement for TermSrv appsec
• Aimed at Corporate Users

5
The standard response

• Virus Detection, Quarantine, Cleanup
• AV vendors doing a good job here
• Ease of deployment is improving
• Improve reliability, performance of filter
  drivers
• Virus Prevention
• Stopping viruses sight unseen
• Need to balance
• Usability
• Security
• Flexibility

6
The Larger Problem

• Unknown Code
• Malicious Code
• Viruses
• Trojans
• Unauthorized applications
• Games
• Peer to peer applications
• Software known to cause problems
• Bottom Line Total Cost of Ownership is Increased

7
Software Restriction PoliciesRequirements

• A way to identify code as trusted
• Flexible policy based approach
• Integrates with Active Directory Group Policy
• Enforced by the operating system and applications

8
SRP Basic Components

• Default Security Level
• Additional Rules
• Policy Options
• Discussed on following slides

9
Default Security Level

• All programs are known
• Policy lists approved applications
• Default Level is Disallowed
• More secure
• All programs are not known in advance
• Policy blacklists software
• Default Level is Unrestricted

10
Additional Rules

• Exceptions to the Default Level
• If the Default Security is
• Unrestricted, rules specify what cannot run
• Disallowed, rules specify what is allowed
• Two Steps
• Identify Software
• Specify Run, Dont Run

11
Rule Types and Precedence

• Rules evaluated in order
• Hash rule
• Certificate rule
• Path rule
• Zone rule
• Each rule specifies security level
• Does a match run or not run?
• If no rule matches, use Default Level
• Can use wildcards

12
Scenarios

• Only run Microsoft Office
• Only run signed, trusted VB Scripts
• Only run trusted applications for administrators
• Dont run prohibited applications
• Lock down running of ActiveX controls
• These can be combined

13
Example Policy

• Allow only Microsoft Office and IE
• Default Rule Disallowed

14
DEMO SRP
15
Additional Network Security Improvements

• Accounts with blank passwords cant be
  authenticated to over the network
• Local Admin account is disabled
• Smartcards for admin accounts
• Strong security for privileged accounts
• Personal Firewall
• Defense-in-depth in a highly connected world

16
Application Security Model
Authentication
Users
Front End ---- Impersonation?
Back End ---- Delegation?

• Authorization Auditing
• Application context?
• Users context?

17
Flexibility, Interoperability Completeness

• Identity Credentials
• Let the system manage user accounts
• SAM (local users), AD (domain/forest users), Unix
  KDC (realm users)
• Choose the strength you need
• Password, Cert Key, Physical token (via EAP),
  Smart Card
• Authentication Protocols
• Choose a protocol with features you need
• Kerberos, Passport, Digest, SSL/TLS, HTTP ,
  S/MIME, XMDSIG,
• Authorization
• Choose the model
• Impersonation/Delegation or Protected Subsystem?
• Choose administration format
• ACLs or Roles

18
Credential Management Issues

• Multiple credentials are a fact of life
• Credit Cards, Drivers License, Passport
• Use strongest form possible
• Passwords down-level clients
• X.509 certs SSL client authentication
• Smartcards admin accounts
• Maintain Windows SSO experience
• Enable roaming

19
Windows Server 2003 Credential Manager

• Vision for secure SSO
• Secure, roamable storage per user
• Name password (Windows or Passport accounts)
• X.509 certs (smartcard or local store)
• Associate credentials with application/server
  targets
• Unlock credentials during user logon
• Automatically use appropriate credentials
• Built-in support
• Applications (RDR, shell components)
• AuthN packages (Kerberos, NTLM, SSL)

20
Cred Manager Components
Keyring

• Manual UI
• User configures credentials for non Credman-aware
  applications

• Apps call Credui to harvest credentials
• Users can choose to save or not
• Common UI supports
• Name password
• Smart cards

Common Credential Collection UI (Credui)

• Secure storage of credentials
• Associated with a target
• Accessible only within LSA (by auth packages)

Credential Manager (Credman)
21
Credential Manager Usage
foo.com
dev.foo.com
22
Application Authentication

• Session based applications
• Client-server connection for user session
• E.g., File system, SQL Server, Active Directory
  
• Connection (or packet) oriented protocol
• Kerberos, NTLM, SSL/TLS, Digest
• Message based applications
• No persistent client-server connection
• E.g., SMTP, MSMQ, Transaction processing, Batch
  jobs
• Signed-messages
• S/MIME, PKCS7, XMLDSIG

23
Application Design Goals Gaps in platform support

• Store/Forward with Impersonation
• No logon session per message received
• Web app with Delegation
• Only Kerberos provides delegation
• Not all browsers support Kerberos
• Multi-tier app with Delegation
• Kerberos delegation has no constraints
• Service can do anything as user with Forwarded TGT

24
Whats the Problem with W2K Delegation?

• Web app with Delegation
• Only Kerberos provides delegation
• Not all browsers support Kerberos
• Multi-tier app with Delegation
• Kerberos delegation has no constraints
• Service can do anything as user with Forwarded
  TGT
• Windows Server 2003 Solution
• Kerberos Constrained Delegation and Protocol
  Transition (S4U)

25
Protocol TransitionKerberos S4U2self extension

• Authentication flow
• Service authenticates via Kerberos
• User authenticates to service (however)
• Service S4U2self TGS-REQ
• Gets ticket to itself with users authorization
  data
• API for S4U2self
• LsaLogonUser(user_UPN)
• No Password needed
• Impersonation token
• Identification token

26
Windows Server 2003 Authentication
KDC
Trust
Verify Policy Allowed-To-Delegate-To
Ticket
Passport
Basic Digest SSL
Users
Ticket
Signed Messages, S/MIME/SMTP
Kerberos
Cert
XMLDSIG/HTTP
Front End Application
Back End Application
27
Secure Network Access Infrastructure
28
Network Access Evolution
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP Options
Secured Building
How can we protectagainst eavesdropping?
WEP
How do we do secure authenticationand improve
keying?
How should security applyto wired connections?
802.1x
29
Network Identity and Trust

• What constitutes user identity?
• Username, password,token card,
  certificate,group membership, all?
• If I trust the person,do I trust the machine?

• What constitutes machine identity?
• Token, OS, connection,domain membership,system
  configuration?
• If I trust the machine,do I trust the user?

Authentication models need to be rich
30
Integrating IT and Network Service Access
Requirement Interoperable Standards Open
Systems
Plug-in authenticationmodel, Kerberos PKI
Directory System
Authenticate toDirectory
Network AccessControl
End-to-end, link neutral encryption asappropriate
Securechannel
Content/service
Link specificencryption as appropriate
Access Point
Integrated network connectivity w/ network
services single sign-on integration
plug-in authentication model
Extensible strong authentication protocol
Client
31
Microsoft Secure Network Access Infrastructure
Interoperable Standards Open Systems
Directory System
Windows InternetAuthentication Service
Active Directory,Microsoft CA
ADSI withLSA login
Network AccessControl
RADIUS
IPSec Transport Mode
Content/service
Any interoperablestandards-based access point or
Windows RRAS
Link encryption PPTP, L2TP/IPSec, WEP
Access Point
Extensible AuthenticationProtocol w/ Transport
LayerSecurity services (EAP-TLS PEAP)
Windows 2000,Windows XP
Client
32
802.1x authT for wireless networks

• 802.1x
• IEEE data-link layer standard for authenticated
  network access to wired Ethernet networks and
  wireless 802.11 networks.
• provides support for centralized user
  identification, authentication, dynamic key
  management, and accounting.
• support for EAP
• EAP
• EAP-TLS
• EAP-MS-CHAP v2
• PEAP

33
802.1x authT for wireless networks

• EAP
• 802.1x uses EAP for message exchange during the
  authentication process.
• Use arbitrary authentication method
• certificates, smart cards, or credentials.
• EAP-Transport Level Security (TLS)
• The strongest authentication and key
  determination method.
• Mutual authentication, negotiation of the
  encryption method, and encrypted key
  determination between the client and the
  authenticator.
• For certificates or smart cards for user and
  client computer authentication.

34
802.1x authT for wireless networks

• EAP-MS-CHAP v2
• Mutual authentication method
• Supports password-based user or computer
  authentication.
• only available with PEAP.

35
PEAP

• PEAP
• Authentication method that uses Transport Level
  Security (TLS) to enhance the security of other
  EAP authentication protocols.
• Benefits
• Encrypted channel to protect EAP methods running
  within PEAP,
• Dynamic keying material generated from TLS,
• Fast reauthentication (quick roaming between
  wireless access points)

36
PEAP authentication process

• Two main phases
• Server authentication (Certificate) and TLS
  channel creation.
• Master secret generation.
• Session keys derived from the master secret and
  used to establish a TLS encryption channel
• Complete EAP conversation between the client and
  the server is encapsulated within the TLS
  encryption channel.
• Can use any one of several EAP authentication
  methods
• passwords, smart cards, and certificates
• Session keys provide keying material for the
  (WEP) encryption keys
• Can use PEAP with any of the following
  authentication methods for wireless
  authentication
• EAP-EAP-MS-CHAP v2 uses certificates for server
  authentication and credentials for user
  authentication.
• EAP-TLS uses certificates for server
  authentication and smart cards or certificates
  for user and client computer authentication.
• Third-party EAP authentication methods.

37
3rd Party Recommendations
It will all plug and play securely if we work
together

• Consultants Design to Architecture
• Build Network Access Points to Model
• VPN Gateways L2TP/IPSec, PPTP, EAP
• Use WS2003 Server RRAS as reference model
• 802.11 APs 802.11 with true 802.1x
• Build on WS2003 Server for Best AD Integration
• RADIUS IAS as platform to build on
• Access Points OEM Opportunities
• Rich AD integration benefits from AP
• Authentication Providers
• Build plug-ins to AD and IAS (complete)

38
802.1x and IAS

• Process of obtaining a valid authentication key
• ACCESS POINT challenges the client.
• CLIENT sends its identity to the ACCESS POINT,
  which forwards this information to a RADIUS
  server.
• The RADIUS server requests the CLIENT's
  credentials (specifies the type of credentials
  required).
• The CLIENT sends its credentials to the RADIUS
  server.
• The RADIUS server verifies the CLIENTs
  credentials.
• MATCH! RADIUS server sends an encrypted
  authentication key to the ACCESS POINT.
• ACCESS POINT uses this authentication key to
  securely transmit per-station unicast session and
  multicast/global authentication keys to the
  CLIENT.

39
IPSec

• Impact
• Deployability/Reliability Improvement (network
  admin)
• Improved manageability (network admin)
• Secured information and resources (everyone)
• Windows 2000 and Windows NT Interop
• Windows 2000Yes
• Back-port work on Windows 2000 for versioning
  required
• Availability Improvement
• Performance and DoS work increases availability
• 64-bit Compatible
• Yes

40
Internet Authentication ServiceRemote
Authentication Dial-In User Service (RADIUS)

• Authentication, authorization and accounting
  service for network access
• Central access policy and accounting management
• Extensible authorization model
• Authenticated and encrypted UDP channel
• Shared key authentication
• Client-to-server (gateway to server) session
• End-to-end authentication PC to RADIUS server
• Proxy (gateway to proxy to server)

RADIUSClient
RADIUS Proxies
RADIUS Server
41
Internet Authentication Service

• Whats new
• Secure wireless deployment
• 802.1x
• Certificate OID checking for wireless use
• Password-based wireless authentication
• XML-SQL database logging
• Cross forest support w/out RADIUS proxy
• Proxy capability
• RADIUS attribute filtering
• Client policy check/quarantine access

42
Internet Authentication ServiceSecure Wireless
Deployment

• Barriers to Effective 802.11 Security Management
• Access control (who get on the network)
• Static keys are vulnerable to theft
• Management of static WEP keys
• Static keys make WEP vulnerable
• Windows 2003 and XP Solution
• 802.1x Bind EAP to 802.11
• Authentication and key generation
• Add 802.1x authentication to IAS
• Wireless connection type, OID checking

43
Internet Authentication ServiceSecure Wireless
Deployment

• Issue Not All Customers Deploy PKI
• MS-CHAPv2 over Protected EAP
• PEAP new EAP method
• One encrypted channel to host multiple EAP
  authentications
• Establishes keys for encryption use
• Access point requires cert to prevent
  man-in-middle (client can verify gateway)
• MS-CHAPv2 used through PEAP
• Encrypts MS-CHAPv2 authentication between client
  and RADIUS server
• Eliminates off-line dictionary attacks
• Determining feasibility for PPTP
• Eliminates last major PPTP security issue
• Updates to IAS, XP client

44
Internet Authentication ServiceXML SQL Logging
RADIUS Events Via XML-SQL
SQL Consolidation
IAS Servers
SQL Servers
Wireless Access Points
Event Main (index) Event Data (records)

• High-scale Query Capable Logging
• Discover hackers vs. password failure
• Identify session behavior
• Identify deployment blockers/issues
• Customizable reports

45
Internet Authentication ServiceCross Forest
Proxy Support
IAS (RADIUS)
AD
AD
Dev.corp Forest
Hr.corp Forest
tsmith_at_hr.corp
sdavis_at_dev.corp

• Use proxy when
• Forests do not have trust
• Geographic failover
• When using EAP-TLS (certificates) in multi-forest
  environments

jpeters_at_dev.corp
46
Internet Authentication Service

• Impact
• AD as central directory for all network access
  (IT Pro)
• Wireless now deployable and secure (network
  admin)
• Multi-forest network authentication (network
  admin)
• Consolidated network authentication (network
  admin)
• Improved client configuration control (network
  admin)
• Single sign-on, single identity simplicity (end
  user)
• Windows 2000 and Windows NT Interop
• Environments Yes
• Clients require wireless support updates
• Availability Improvement
• Proxy failover and load balancing
• 64-bit Compatible
• Yes

47
Wireless LAN DeploymentA case study
48
Infrastructure Considerations

• Access Point (AP) Placement
• Decrease cell size (10m radius)
• Increase cell density
• Overlapping cells via channel configuration
• Allow for fewer clients per AP
• Forcing 5.5-11Mbps only
• Mitigate possible Bluetooth interference
• Create a migration path to 802.11a
• Low Voltage Wiring or In-line Power
• Use to enable remote cold booting of APs from a
  central or remote location
• AP Load Balancing

49
Client Considerations

• Easy client setup Plug and Play
• Seamless client roaming within a building
• Single wireless subnet in each building
• Reduce collision domain
• Restricts Netbios access to that building segment
• Enhances security
• Unique Enterprise Broadcast SSID
• Enhanced usability with Windows XP Zero
  Configuration Wireless Client
• Automatically Obtain a New DHCP Address When
  Changing Subnets
• Windows 2000 and Windows XP clients
• Client and Helpdesk Troubleshooting Tools
• AP Monitor in Windows XP

50
Security Considerations

• MAC Address Filtering
• Not Scalable
• MAC Address exception list must be maintained and
  propagated to all APs
• Client could neglect to report a lost card
• Client could change the MAC address
• Wired Equivalent Privacy (WEP)
• 40 bit supported per 802.11b standard
• 128bit is proprietary
• WEP keys are not dynamically changed
• Unique key is required across the enterprise
• Difficult to change or administer
• Vulnerable to attack
• 128 bit WEP can be hacked within 2 hours using
  PC-based tools and 802.11b adapter

51
Security Enhancements802.1X Solution

• Client Network Access (link layer) Controlled by
  Access Point Based on Machine and/or Domain User
  Account Authentication
• Authentication Process Secured via Standard
  Public Key Infrastructure (PKI) Protocols
• Extensible Authentication Protocol over LAN
  (EAPoL)
• Transport Layer Security (TLS)
• Public/private keys/ X.509 Certificates
• Uses two-factor authentication
• Available in Microsoft Windows XP
• Client Machines and Users Negotiate
  Authentication Against Internet Authentication
  Server (IAS)
• IAS proxies authentication requests to Active
  Directory and Certificate Authority (CRL)
• IAS is Microsofts RADIUS server product
• Dynamic WEP for Each Client Session
• Changed with each new connection session,
  roaming, or within a preset time interval

52
Enhanced Security802.1X Solution
53
Wireless LANTechnical Lessons Learned

• Develop an Operational Support Model
• Requires improved troubleshooting tools for both
  client and infrastructure
• Develop automated tools to rapidly upgrade
  infrastructure
• Integration of disparate support organizations
  for end-to-end support
• Certificate Server (CRL), RADIUS Server (IAS),
  Active Directory (DC), Access Point and Client
• Monitor Client Satisfaction
• Wireless LAN is a production, rather then adjunct
  network
• Must remain active through 802.1X deployment
• Broad communication was constrained due to
  security concerns
• Maintaining secure environment and avoiding any
  malicious attacks
• Clients constrained to Windows XP only
• Legacy client development is in process or planned

54
Wireless LANTechnical Lessons Learned

• Plan for Certificates Issues
• Required to build a secured web-based tool to
  validate and/or obtain machine/user certificates
  until Active Directory infrastructure becomes
  .NET native then support certificate
  auto-enrollment
• Avoid issues with Certificate Revocation List
  (CRL) expiration
• Monitor Active Directory
• Is overloaded, 802.1X is affected
• Effects both .Net Server and Windows 2000 SP2
• Monitor Client DHCP response timeouts
• Inconsistent across domains and platforms
• Recognize Dependencies
• RADIUS Server failover support in Access Points
• Caused clients to fail authentication and lose
  connectivity
• Plan for Authentication Mechanisms that Stress
  the Infrastructure Unlike Any Other Service
  Previously Deployed
• Re-authentication required when roaming and at
  timeout
• Cross-forest and multi-domain authentication
  required

55
DEMO Wireless Authentication
56
Wireless LANSupport Lessons Learned

• Significant Costs Lie in the Labor and Material
  for the Building Infrastructure Installation
• Infrastructure installations should be above
  ceiling and concealed
• Standards Dont Always Work Together Well
• Dont ever assume that a vendor is taking care
  of things
• Involve IT Operations and Helpdesk Early
• Offer brown-bags and engineering review
• Develop and Communicate Security Policies Around
  Rogue Wireless Implementations
• Attention to Users Health and Safety Concerns
  must be Addressed Appropriately
• Leverage your vendor and internal Risk Management
  and Human Resource organizations

57
Wireless LANFutures

• 802.11a
• New physical layer using 5GHz band utilizing OFDM
  to provide speeds up to 54Mb
• Lower range and higher power requirements
• 802.11b
• Existing implementation using 2.4GHz band to
  provide speeds up to 11Mb
• High range and low power requirements
• 802.11d World mode
• AP specifies a client profile which includes
  channel set and power
• Allows for single AP and client product which
  would self-configure to meet local RF regulations
• 802.11e Quality of Service (QoS)
• Coupled with 802.1p (Class of Service) and 802.1q
  (VLAN tagging)
• Support for real-time applications like voice and
  streaming media
• 802.11g
• New physical layer using 2.4GHz band utilizing
  OFDM
• Max speed 22Mbps, but cannot co-exist with
  802.11b
• 802.11h
• Enhancement to MAC to support EU power and RF
  requirements
• Recommended feature for any future
  implementations
• 802.11i Enhanced Security

58
Wireless LAN 802.1xReference Information

• Microsoft Corporation
• Enterprise Deployment of IEEE 802.11 Using
  Windows XP and Windows 2000 Internet
  Authentication Service
• http//www.microsoft.com/windowsxp/pro/techinfo/de
  ployment/wireless/default.asp
• 802.1x (TechNet)
• http//www.microsoft.com/TechNet/prodtechnol/winxp
  pro/reskit/prdc_mcc_corc.asp
• 802.1x Authentication
• http//msdn.microsoft.com/library/en-us/wceddk40/h
  tm/cmcon8021xauthentication.asp
• Wireless Network Security within 802.1x
• http//www.microsoft.com/WINDOWSXP/pro/evaluation/
  overviews/8021x.asp
• Set up 802.1x Authentication on Windows XP Client
• http//www.microsoft.com/windowsxp/home/using/prod
  uctdoc/en/8021x_client_configure.asp
• Wireless LAN Association
• http//www.wlana.org
• IEEE 802.11 802.1x
• http//www.ieee.org
• OSHA Health and Safety
• http//www.osha-slc.gov/SLTC/radiofrequencyradiati
  on

59
Questions ?