Robert Hensing's Blog

Software Security . . . and stuff.


Admin Personas - at long last . . .

  • Comments 4
  • Likes

Okay so this post is several months late - what can I say, I'm easily distracted and overly busy.  Hopefully if you are reading this post you've already read the post on hacker personas.  Having been on the PSS Security team for over three years now I've noticed patterns not only in the types of miscreants hacking our customers, but in the types of customers getting hacked by the miscreants as well.  As they say over at 'The Onion' - Stereotypes are a real time saver; so without further adieu I give you 'Admin Personas' . . .

The 'Default' Administrator
Default man, default man - doin' the things the defaults can!  That's right - this persona represents probably (sadly) the majority of Windows administrators (60%?).

  • Default man puts his Windows boxes right on the Internet with no firewall and assigns the IP address from his service provider right to his external interface on his dual homed machine (the other NIC is of course on his smallish corporate or home network).  He either users no firewall because of cost or because he doesn't fully understand the threat that running a box on the Internet with no firewall poses or a combination of both.  Default man probably runs Windows 2000 and since there is no firewall built-in; he's not using one.
  • Default man is also way behind on service packs.  Default man is probably at N-2 (where N is the current service pack).  There are likely multiple reasons for this.  Default man may have had a bad experience with our service packs before and likes to 'play it safe' now while the rest of the world runs the latest and greatest he sits back and watches and waits for the 'inevitable' problems.  Why let a good test environment and proper patch management stand in the way of good old fashioned inaction?  Default man probably doesn't know that we have a Lifecycle web site or what our lifecycle policy is for service packs for our operating systems and will be rudely surprised when he gets hacked (due to missing security patches) that he can't even install the security updates that he needs to protect himself without upgrading to the latest service pack which he hasn't even begun testing yet!  This puts him in a real bind and he usually ends up blindly deploying the service pack at the last minute in reaction to a security incident in order to get secure without doing *any* testing.
  • Default man has no password policy.  Why?  Because Windows 2000 and lower don't enable one by default out of box.  Since Windows doesn't require a good password policy by default - the default administrator uses a very weak password as their password.  It's usually a 'word' as the name implies . . .
  • Default man has no audit policy . . . see a pattern here?
  • Basically default man can also be thought of as 'Next, Next, Finish' man - he only does the things the wizards and the OS do for you by default . . .

Sadly these admins have most likely already been hacked . . . repeatedly . . . for many months if not years and they've never noticed the intrusion (due to inexperience with the operating system).  The default administrator usually only notices the signs of an intrusion after the latest miscreant has gone too far and caused damage to the system (like unexplained reboots, sluggish performance or the hackers hardening efforts (to prevent 're-hackers' or 'leech hackers' go too far and they end up breaking the applications or the server in some fashion).  I say the 'latest miscreant' because these kinds of boxes are usually hacked by group A, and then re-hacked or leech-hacked by group B and then possibly re-hacked or leech-hacked by group C who has a bit more clue and not wanting 'their' server to be stolen by other leech hackers resort to hardening the box to prevent re-hacking.  Unfortunately it's usually the 'hardening' of the box during this hacker tug of war that causes breakage and tips off the default administrator that something is not right with the system.

If the default administrator has noticed any 'strange' behavior - they've chalked it up to 'Windows' because everyone knows how unstable that OS is right? 

These are the cases my team really hate to work because we have the unfortunate job of pointing to evidence of multiple intrusions occurring over months or years and then having to explain how it all happened (a result of all of the above things being totally wrong) and how to recover.  It's an extremely unpleasant and rude awakening for these administrators to the world of security (much like what it must have been like to take the red pill).  This situation, will fortunately be slowly phased out over time as more and more users migrate to XP SP2 and WS2003 SP1 and the OS defaults are secure to protect the innocent.

The Skilled Administrator
Possibly 35% of all Windows administrators are what I would consider 'skilled' . . . below are some of the properties of a 'skilled' administrator.  The skilled administrator is more cautious than the 'default' administrator - because he's been to SHK University (School of Hard Knocks) and learned some valuable lessons before dropping out.

  • The skilled administrator puts his boxes on the Internet and he uses Internet routable IP addresses, but since he has a networking background he knows the importance of 'filtering' and he configures his upstream router to only pass certain packets that aren't on his 'known bad' list to his server.  The skilled administrator relies on his router with ACL's for port filtering vs. buying into the whole 'firewall' thing.  He thinks of firewalls as devices designed to block ports and he can do that with his router - so why buy a firewall?  He hasn't hardened his router at all and it probably isn't running the latest IOS or security updates from Cisco.  The router itself may have been compromised remotely at some point and the ACL's he created may have been disabled but he wouldn't know - he rarely checks the router if the packets are flowing!
  • The skilled administrator having been to the school of hard knocks knows the importance of patching the OS and as a result he's running the latest OS, at the latest service pack level and he's even got all of the latest critical security updates for Windows installed . . . but he doesn't know much about SQL or Exchange or Sharepoint Portal Server or ISA . . .so they aren't patched with the latest security updates.  Doh!
  • The skilled administrator his highly suspicious of the Microsoft 'default' settings and will likely do whatever is necesary to NOT use the default settings of Windows.  Fortunately for him this usually pays off even if he doesn't fully understand why.  An example of this is that the skilled administrator actually has a password policy . . . but it's configured all wrong and is only 6 characters (because this guy hates supporting end-users and likes things to run smoothly and longer passwords create helpdesk calls for him so 6 characters it is!) . . . oh and he uses account lockouts (that's how he knows when he's got malware on his network).  This admin hasn't thought about why he keeps getting malware on his network that locks out accounts and what that means (the password policy is inadequate) but he's sure good at detecting it once its there and then removing it with cleaner tools from his AV vendor.
  • The skilled administrator has done something with auditing and it can go one of two ways.  Either he is just auditing account logon events (and then using special software to scrape the security event log looking for suspicious logon activity like account lockouts) or he's gone full-on crazy and has ticked every single audit checkbox that the UI provides and his security event log is wrapping every 24 hours or so and he's losing valuable data buried within mountains of meaningless data he doesn't need to collect / audit.
  • Finally and most importantly - since the skilled admin is suspicious of all of our OS defaults he has done some security hardening.  The problem is he does all of his server hardening 'by hand' using outdated security checklists he found on our web site a couple of years ago and he isn't really sure he has applied his security hardening consistently throughout the environment and he only has one checklist for all of his different types of servers.

The 'Sophisticated' Administrator . . .

These guys (perhaps 5% of all Windows admins?) not only went to the School of Hard Knocks but they graduated Summa Cum Laude!  Not only that but their present job requires the highest degree of security - if they get hacked, they get fired so he's got a real interest in keeping things tight.  In addition - his CxO's all fully support security as one of the businesses highest priorities (due to an increasing threat of legal liability over improperly secured systems and due diligence laws) and the sophisticated administrator is free to make security policy changes AND have them enforced (security flows from the top down).  Believe me, you WANT them on that wall!

  • Internet Connectivity:  The sophisticated admin is using a segmented network approach with multiple isolated segments (sometimes called DMZ's) for his various Internet facing properties.  There is of course IPSec segmentation (with encryption and mutual authentication), and of course firewalls that perform NAT and deep content inspection are in use all over his network.  He performs not only ingress filtering, but he also performs egress filtering as well.  He's been researching network access protection and is excited over the recent Microsoft / Cisco partnership in this area.  He's already got 'Network Quarantine' working on his VPN servers - all VPN users must pass mandatory checks or they are denied access to the corporate network.
  • In his DMZ's and all over his corporate network he's got IDS and IPS systems from managed security service providers like ISS.  As a result if something does manage to get on his network - he'll know about it within seconds.  In addition to the IDS / IPS - he's got proper baselines of all critical systems and knows what services should be started, what ports should be listening and what processes should be running on each server.  Speaking of servers, he knows exactly what servers are on what IP addresses and he carefully monitors his network for new / unknown boxes daily.  In addition the network team routinely monitors the network traffic and knows what 'normal' looks like there as well and can quickly react to and shut down network ports generating anomalous network traffic.
  • The sophisticated admin does not 'react' to security updates - he plans for them and anticipates them.  He has created a small test environment where he can begin testing security updates for the products he uses the day they release and he is of course signed up to receive alerts via email the day the security bulletins ship from his favorite vendor.  The goal that the sophisticated admin shoots for is having all 'critical' security updates deployed throughout his critical infrastructure within 24 hours because he knows the time to patch is decreasing rapidly.  The security update policy covers not only deployment but also routine scanning of the environment using tools like MBSA and SMS to ensure new systems haven't been brought on-line on the network that could pose a threat to the integrity of the network.
  • The sophisticated admin has a formal password policy that's documented.  All administrative accounts have a minimum password length requirement of 12 characters or more and he encourages the use of longer pass-phrases through internal user education campaigns.  He doesn't use account lockouts in his environment because the passwords are good enough and expire often enough (70 days or less) that account lockouts really aren't needed and would only serve to increase helpdesk costs.  Part of his password policy means that passwords are not shared anywhere and they are evaluating and deploying multi-factor authentication (smartcards are duking it out with other solutions like RSA SecureID in the test environment).
  • The sophisticated admin has enabled auditing of key events and currently uses 3rd party software to monitor the security event logs for suspicious events (and for archive purposes) but he's also evaluating Microsoft's Audit Collection System as a potential longer term solution to the problem of managing audit data.
  • The sophisticated admin has read all of the latest Windows hardening guides and the 'Threats and Countermeasures' guide for Windows XP and WS2003.  In addition to reading the guides, he's deployed the high security templates from the guides to all of his critical infrastructure and edge servers after testing them in his test environment and addressing his application compatibility concerns.  The security templates automated the hardening of his systems in a manner of minutes and his environment is now totally consistent with respect to server hardening based on the role of the server.  To harden a newly built server he simply moves it to the proper OU and group policy takes care of the rest!
  • The sophisticated admin knows that the biggest threat to his particular environment is from 0-day exploits targeting un-patched browser vulnerabilities that result in the installation of malware.  Phishing scams are also of concern so he has all of his users running as . . . users, not local administrators.  The sophisticated admin does not believe in 'security through obscurity' and doesn't really believe that Firefox is all that more secure than IE so he hasn't looked into switching to a new and unproven browser.  In addition to running as normal users to minimize the damage potential of malicious software, his users are forced to use Internet explorer with customized security settings - the Internet zone is set to 'high' security and users are told to only add web sites they know and trust to the 'trusted sites' zone which itself is set to 'medium' security.  These settings have been deployed to the desktops through group policy.  In addition to the increased IE security settings they are using Outlook 2003 and have configured Outlook to render all e-mail as plain-text.  Finally they are evaluating deploying an anti-spyware product in addition to their standard antivirus software and among the finalists are software like Counterspy and of course Microsoft's Antispyware product.

These are the basic kinds of administrators we talk to each and every day.  These are of course generalizations but they seem to work so very well . . . which category do you belong to?

  • Techie life - Phillip Renouf's blog » Admin personas