Saturday, March 26, 2011

MMS 2011: Day five wrap up

Last day in Las Vegas! The party last night was not too shabby, even being thrown and attended by some hardcore geeks. The party had a western theme, some good food (ribs, corn on the cob, and the usual western fair), pretty square dancers, and even a decent band (The Scotty Stamp Band). One of the singers did a great Johnny Cash.

One more breakout session, then a lab, then off to McCarran airport. I won't go into the lab detail here, except to say that it was on how to migrate Config Manager from 2007 to 2012. Looks like a pretty straightforward process, and no competent system administrator should have any problem in performing the upgrade.

First up, Hack Proof your Windows 2008 R2 server, presented by Erdal Ozkaya.

The first thing Erdal asked the audience was, "Is security your responsibility?" Half the folks in the room said no, while the other half agreed, yes, it was part of their job.

BZZZZZZ!!! The correct answer is that if you are an information technology professional, security should be deeply ingrained into everything you do in your job. If you don't think you should be aware of security, then you need to choose a different profession.

One important point that Erdal mentioned: "There is no way to stop a hacker. You can only make his job harder." This is so true. Any determined hacker will find a way to penetrate any defenses, given enough time. By throwing an effective defensive perimeter, you can make much more difficult for a hacker to get at your companies private information.

Here are a few more gems from Erdal:
  • One of the most exploited pieces of Windows is the Explorer shell, as well as Internet Explorer. To bypass this, simply install Server 2008 R2 in core mode. By doing this, you close these two methods of attack, or shrink your attack surface.
  • Applocker
  • Use biometrics to allow access to Server 2008 R2. It's hard to accurately reproduce a fingerprint, and using biometric authentication vastly increases physical security.
  • Strong passwords are a must! It takes less than 20 minutes to crack a password of 8 characters or less, and about 2 hours for passwords 8-12 characters in length.
  • Remove LanManager. It's not needed for Server 2008 or Windows 7.
  • Use service accounts to enhance security while simplifying or eliminating password and SPN management.
  • User Account Control (UAC). Leave it on. Don't turn it off. The access control model changed to help mitigate the impact of a malicious program; user attempts to start an administrator task or service, the UAC dialog box asks the user to click either Yes or No before the users full administrator access token can be used.
  • Use Smart Cards
  • Windows Security Auditing
  • Run the Security Configuration Wizard (SCW). SCW guides you through the process of creating, editing, applying or rolling back a security policy. It disables unnecessary services, detects role dependencies, nad provides hotlinks to get online help. SCW can also be deployed via Group Policy.
  • Windows Firewall, use it. Windows Firewall with advanced security is an advanced interface for IT professionals, and was not designed for home users.
  • Disable insecure user accounts. In Windows Server 2008 installation, two accounts are created by default, Administrator and Guest. Turn them off
  • Use Bitlocker
  • User Windows 2008 R2 NAP. Network Access Protection monitors and assesses the health of hosts in a network to determine their level of compliance to the configured health policy. NAP ensires that vulnerable/infected systems don't become a launch pad for more wide spread hacker/malicious code attack. It's free, use it!
  • User Mmicrosoft Baseline Security Analyzer to check for up-to-date patch status.
  • Be aware of social networking. There is no patch for human stupidity. Security is only as strong as its weakest link, and humans are the most susceptible factor.

Overall a great presentation. Some basic concepts on what you can do to keep your server and data safe.

Tools mentioned:

1 comment:

  1. Looking for default passwords for devices? Click the link below for the sizeable list of passwords:

    Default Password List

    ReplyDelete