Roger's Security Blog : Securing My Infrastructure

Patch Management, a key step towards compliance!

rhalbh — Fri, 22 May 2009 15:18:34 GMT

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance – honestly, I actually played with our latest technology .

I wrote about

Now, a necessary and very important next step towards compliance as well as a secure environment is a sound Patch Management process and then – in the second place - the underlying technology. I blogged several times already about Patch Management as I see a lot of companies failing to deliver on this. I recently wrote a post called Patch Management – Cover the whole 9 yards. in there I mention different papers you could/should read:

and I reference Christopher Budd’s Ten Principles of Patch Management:

Service packs should form the foundation of your patch management strategy
Make Product Support Lifecycle a key element in your strategy
Perform risk assessment using the Severity Rating System as a starting point
Use mitigating factors to determine applicability and priority
Only use workarounds in conjunction with deployment
Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
Test updates before deployment
Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
Use only methods and information recommended for detection and deployment
The Security Bulletin is always authoritative

First of all (and you see that in the articles referenced above) it is of outmost importance to have a process in place. Basically the core schema to run such a process is:

I have seen different complexities to deploy such processes. From highly complex to pretty simply and straight-forward ones. The ones of you who know me know, that my preference is KISS (Keep it Simple, Stupid). So, make the process as complex as necessary and as slim as possible.

So, once you have the process in place and take a conscious decision, the question is about deployment and reporting.

So, let’s talk about technology now.

In order to get an overview over the state of your computers, you might use the Microsoft Baseline Security Analyzer. This is an excellent tool to scan your Windows machines and get an overview of the security state of the machines. It might not deliver the same level of sophistication as very expensive tools, but the difference is: We provide it for free and – in my opinion – it gives you a good starting point to look at vulnerabilities including the level of Security Updates of a given PCs. Here is an example of one of these assessments:

But this does not really resolve your base problem about the Security Update compliance of the computers on your network as well as the distribution of them. From my point of view, there are different options to do so:

If you are a small and medium business, one of the coolest solutions for you to go is System Center Essentials. It is System Center Configuration Manager, System Center Operations Manager and Windows Server Update Services in one package. However, it is limited to 30 servers and 500 clients. If you are in this limit, it rocks.
System Center Configuration Manager: If you already use this technology to distribute software and configurations, leverage this.
Windows Server Update Services: It is kind of unbelievable but this is free! So, to be clear – we do not charge for it! You can download and install it and it scales even for large Enterprises (did I tell you already that it is free ?).
A third-party solution

I am using WSUS and am more than happy with it. The way I am organized is, that I get regularly a mail from WSUS with the current state of “the nation”:

As I am mail-driven, this allows me to see, what I have to do with regards to WSUS. I then can log-on to my WSUS server to get more granular reports:

From here on, I can decide, which actions I want to take, based on detailed reports I can get by clicking one of the texts in the UI:

BTW: this machine is patched in the meantime – so do not even think about it

Even if you cannot enforce the security update level technically that way (and we will talk about Network Access Protection in a later post), it at least helps you to understand, where you stand and what you have to do in order to get compliant.

Again (as I did so often) my call to action to you: Make sure that you have a straight-forward process in place and then use technology (like WSUS) to deploy the updates and ensure that you have deployed them correctly!

Roger

Deploying PKI

rhalbh — Thu, 12 Mar 2009 17:49:46 GMT

Recently I decided to spend some time to implement some new technologies in my environment at home. The environment itself is a mixture between test and production. If you are reading this post on www.halbheer.info/security, you are already accessing this environment. So, I host my web server, mail server etc. there, all our private mails are received there but I am still trying to deploy beta-technology as I want to understand the challenges you all will go through when you run these products in your production environment – being well aware that 8 or 9 servers and a few clients is by far not comparable with what you do out there.

Now, I decided to write a few blog post about how I integrated our technology as I wanted to prepare the environment for the active protection technologies being part of our next generation of the Forefront suite called Stirling as well as some other cool stuff we recently released (like NAP) but I never had actively in my hands. I decided to share some of the experiences and challenges with you as I went through this (it was a lot of fun for me).

Let’s start with PKI first – which I deployed a few years ago already. Even though I know that there are quite some companies that are still refraining from deploying PKI, I am definitely convinced that over short- or mid-term there is no way around it. Certificates and the authentication linked to it is already all across an infrastructure. So, let’s start there.

Before I joined Microsoft, I was working at PricewaterhouseCoopers running PKI projects mainly with regards to policy development, processes and organizational concepts. These projects (not only our part but including the software licenses) tended to be huge and very time- and money-intense. One of the reasons for that was, that it was far away from being commodity. Believe me or not but back then (this was around the year 2000) I was saying the PKI cannot take off before Microsoft integrates it into the client.

I then moved to Microsoft and we released XP with already a pretty good PKI integration, especially when we added the Windows Server 2003 PKI. However, there was a downside: Too many customers just went through the wizard and installed a PKI – and generated a problem. Even though today I am convinced that you need not these thick books of paper before (I am not paid by the number of pages I write ) you need to do some planning. Especially you have to make sure you understand the application of the PKI before you deploy it as well as the assets you are protecting. This means planning, this means concepts, this means experience.

There are actually some pretty good papers on our website which can help you there:

These documents help you to understand, which decisions you need to take before you start to deploy. Decisions, such as (not complete):

Enrollment processes
Protection of the different private keys
Certificate Lifecycles (yes, there are different validity periods and they will depend on each other)
Revocation and distribution of the revocation information
etc.

So, I took it pretty straight-forward: I decided that I needed a PKI for various purposes but definitely no high-trust certificates (I did not have a HSM – a hardware device for the protection of the CA’s private key – anyway). So I looked into naming of the PKI, lifetime of the root cert etc. and then went for it.

So, I installed initially a Root CA, which directly issues certificates for machines and websites. I even put it on a DC. The reason for that was two-fold:

I definitely did not need higher security for my CA than the security level of the DC
I did not have more server available

Well, honestly, I started to deploy certs and later on re-started again… I stupidly named my PKI “Root” and became the joke of my friends at Microsoft. When you looked at my “Trusted Certification Authorities” on any of my computers, there was one "called “Root”, which is really descriptive . So, I wanted to get rid of this problem and re-installed the stuff (which you probably do not want to do – therefore think first not like me). I even have the root cert publically available as I need it from time to time outside my infrastructure as I am hosting my parent’s mail as well and I want not that they get a warning box if they access my SMTPS or POPS servers. It is on http://www.halbheer.info/Transfer%20Documents/Technical%20Documents/halbheerroot.zip and is called Halbheer Root today.

This deployment allowed me then to go for Domain Isolation with IPSec and in parallel Network Access Protection. I will talk more about this, once I touched briefly on the theme of monitoring.

Roger

Securing My Infrastructure: Firewall

rhalbh — Thu, 28 Feb 2008 18:33:00 GMT

Well, this is a follow-up of my last posts about how I secure my environment. If you want to read the earlier posts of the series, see at the end of this post.

So, we did the Risk Assessment, now, let's look a little bit closer into my perimeter. Technically I have a "normal" ADSL connection with a static IP-address. However, I decided to use the provided modem only as a bridge and do the dial-up from my firewall, which is – surprise, surprise – an ISA Server2006. This enables me to avoid a NAT-NAT type of configuration and allows me as well to see what is going on on the outside adapter.

Looking at the classical design of a perimeter network, we travel through the world since quite some time and talk about the diminishing importance of the perimeter network or how Steve Riley puts it: "The death of the DMZ" – a concept I implemented in my network.

There are quite some services I am providing on my network to the Internet: I am running a Web Server, a Mail Server (which offers POP, SMTP, RPC over HTTPs, OWA, Exchange Active Sync) and I am exposing all my servers for RDP. Nevertheless I am not running a DMZ nor do I feel bad about it. The way I am working is to use the Reverse Proxy functionality of my firewall. If I would run the classical DMZ-design it is pretty likely that the second firewall would have a lot of ports open (I usually call this a "Router" J). In te setup I chose, I am able to use ISA as my bastion coming from the outside. It does a protocol filter as well as handles the entire authentication whenever a service is used, where I want to have authentication. Like that, nobody will hit my OWA server without being authenticated already. This is one of the big advantages of this setup. Additionally ISA looks into the data and tries to understand whether the packets are valid or not. So, if you send an SMTP command with a clearly invalid size, the packet will be dropped and will never reach my Exchange.

Last but not least, ISA serves as a cache. Initially I was wondering, whether I even should enable caching as we have so few users and enough bandwidth. Since ISA Server 2006 is able to cache Microsoft Update, it definitely makes sense. I configured the WSUS server in a way that the updates are downloaded directly from Microsoft Update. So, every computer in my network will access Microsoft Update and like that, the updates are cached as far as possible on the ISA Server.

Finally, let's have a look at monitoring. I am using System Center Operations Manager (SCOM) to monitor the environment and therefore ISA Server is reporting back to SCOM. Nevertheless the log shows interesting things from time to time:

Recently one of the clients in the network got infected and started to send a lot of bogus traffic. ISA immediately closed the connection and alerted my SCOM (and Forefront cleaned the client):

Things that happen really often are script kiddies looking at probing the firewall like that one (which actually came from the Netherlands):

So, this part up to now was pretty straight forward. However, there is one shortcoming (not of ISA but of other products like Office): As I stated above, I have one fixed IP address. From here I am running different domains (e.g. mail.contoso.com, vpn.contoso.com, www.contoso.com, …) where some of them need SSL. The ones of you knowing ISA and how it works realize that I need a listener, listening on port 443 and authenticating with a certificate taking the role for all the domains that request SSL– to which of the above mentioned names? Well, I issued a certificate with my CA to *.contoso.com. ISA can handle that pretty much without problems but some consuming devices like Outlook 2007 for RPC over HTTPS which fail to authenticate the server. There I had to disable the certificate check – something I would not like to do in production.

As always: If you have anything you would like me to answer, drop me a mail or a comment.

Roger

Other posts in this series:

Additional Information

Securing My Infrastructure: Risk Management

rhalbh — Tue, 05 Feb 2008 16:04:00 GMT

This is a follow-up of my last post about how I secure my environment. If you want to read the start of the series, see at the end of this post but please do not expect me to keep this rhythm J.

Let me start with an introduction first: After my first post, I got quite some reactions – which was very good and promising. You raised quite some questions mainly about monitoring and authentication. I will answer then and would like you to keep asking – that is the only way you get an answer, actually. However, I will start with a few different themes and then come to those. Mainly, I would like to start with Risk Management and how I secure my perimeter. From there on, we can talk about monitoring and how I do the authentication piece in my environment.

So, before you actually start to talk about how to secure something, we need two things:

What are your assets?
What are the risks for these assets?

If I look at my environment: My assets? Well, there are a few things I would like to protect: all the photos and videos of my family, my mailbox and a few others. But really critical information is not here. However, I would not like to read somewhere that somebody broke into my network…

What is the easiest way to get a good overview of your risks? The challenge there is always to compare the business risks (including the acceptable level of risks) with the actual risks you are taking in you infrastructure. A good tool that can help you here is the Microsoft Security Assessment Tool (MSAT). We just recently released a new version of it (you can have it in multiple languages). It is a really excellent tool from my point of view to give you and overview of you needs: Where you should invest more AND where you are doing too much! It does that in two steps:

You assess your own profile and create what we call a BRP (Business Risk Profile)
You assess your infrastructure. There are – again – two assessments available
1. Security Assessment
2. An assessment against the Core Infrastructure part of our Infrastructure Optimization model

So, I did both and afterwards it is generating some reports for me how I am doing against my Business Risk Profile. You could even compare with Businesses in similar segments (is there any family out there running a similar infrastructure??).

Security Assessment

Looking at my security assessment, this is the high-level overview:

BRP: Business Risk Profile, DiDI: Defense in Depth Index

The result is not really surprising: I am doing extremely well on Infrastructure and Applications. What about Operations? Well, I do not have any standardized build for my servers and clients nor is there any formal process to test them. Overall, I am not doing well on processes at home (why should I? I am the processJ). With regards to the people: As there are not too many people on my network, they are drilled what they are allowed to do and how to behave if something bad happens. Therefore I am doing much better than I actually would have to compared to my business risk profile.

Core Infrastructure

This is a similar picture as with the Security Assessment above: I am actually very good automated (some people call that level of automation "sick") for my profile, but I am not doing too well on processes:

So, now I know where I am and what I have to do. The next step is looking a little bit more into my network perimeter and how I defend my network from the outside.

As always: If you have anything you would like me to answer, drop me a mail or a comment.

Roger

Other posts in this series:

Additional Information

Risk Management Guide
- Overview
- Download
Microsoft Security Assessment Tool (MSAT):
Security Tools

Securing My Infrastructure: Introduction (part 2)

rhalbh — Tue, 29 Jan 2008 15:59:00 GMT

Looking at Jacks comment to my initial post this morning (Securing My Infrastructure: Introduction) it seems that I have to give you some additional information:

So let me start with the goal of this network:

Basically I started to build it on one server to play around with our technology. Soon I had to realize that unless I am running it in a "production-like" style, I will not learn the daily problems and challenges with a certain setup. It is one thing to make an environment to work and another to keep it running. Since then I connected my home PCs to the lab and run it 24*7 – and learned a lot!

Second point is about the physical setup of the servers:

I am actually running three physical servers at the moment running Windows Server 2003 R2 at the moment:

My oldest server is the oldest PC I have in the house with a 1.8 GHz CPU and 512 MB of RAM. It is running Windows Server 2008 R2 fully patched and is my ISA Server.
The initial server mentioned above. It really rocked when I bought it – well it is quite a time ago J. It has a 2.4 GHz CPU and 2 GB of RAM. I am running a DC on it and Virtual Server 2005 R2 with two Virtual Machines on it (a DFS-server (512 MB) and my MOM/Virtual Server Manager Server (1GB)). It runs pretty smoothly but at its limits.
I needed this server as I needed a 64-bit environment. Therefore I put together a third server (and put it in the cellar – my wife really enjoys that). This has two 64bit Core2 CPUs in it (3GHz) and 8 GB of RAM. Additionally I am running a RAID 5 disk stack. This is my Exchange Server. On it I am running Virtual Server 2005 R2 again with 4 Servers (a second DC as a backup for my AD J, a SQL Server, my Forefront Client Security/WSUS server and my SharePoint).

So there are two questions open that come to my mind – probably more, let me know

Why am I not running Windows Server 2008? This is a valid question. I built some labs with Windows Server 2008 but did not have the appropriate time available to actually start to migrate. I will start with the less critical servers to gain some experience with the migration as soon as it goes RTM (and this is soon). I will not be able to migrate the firewall as ISA Server 2006 will not run on Windows Server 2008. The reason is that we re-designed the IP-Stack on Windows Server 2008.
Why no Hyper-V? This is the next big step I will do in this environment for sure. My server 2 from above is still a 32-bit. Therefore I will have to add a second 64-bit server and start the migration from there. I will have everything on Hyper-V except for the Firewall (my server 2 will be the new Firewall after the migration). So give me some time here. I will describe certain setups (like the ISA Server) and then tell you more about the migration from physical to virtual machines and from Windows Server 2003 to Windows Server 2008.

Does that make sense?

If there is any question you would like to me address, drop me a mail or a comment.

Looking forward to your feedback

Roger

Securing My Infrastructure: Introduction

rhalbh — Tue, 29 Jan 2008 11:05:12 GMT

As you probably know, some time ago, I asked for feedback and themes you are interested in. Some of you replied to me privately, some with comments and I would like to thank you for the constructive feedback. One of the inputs I got several times is that you would like to get more information how to secure and run an infrastructure – the usual ask for "best practices".

Well, there are a lot of best practices out there. Be it from us on the Microsoft website or from third parties. However, they seem not to fit the need directly for you. So, what can I do? Give you some additional best practice? Well, this will not fulfill your need neither – most probably. And what is the reason for that? Well, you are unique! Your situation is unique, your assets are unique and your risk appetite is unique.

I tried to think of what could be valuable for you and am thinking that I could tell you, how I secure my environment at home in my lab. You will wonder what this has in common with the environment you have in your company. This is a valid question. Let me give you some ideas about the infrastructure I am running in the lab:

The following server roles are on place:

Domain Controller
Firewall
Radius Server
Mail-Server
SharePoint
Database-Server
File-Server
NAS
Operations Manager
AV-Console
Patch Management Server
Virtual Server

And, yes – there are a few clients as well J. So, I am running an IT of the size of a small and medium business – not completely with the same requirements but this is the environment I am trying to collect as much experience as possible and implement a lot of "best practices".

So, I will start to give you some insights into how you could use or technology (did I tell you already that everything is on Microsoft technology?) to secure and operate such an infrastructure. I will do it as long as…

… you are actually reading it
… the number of additional attacks I see in the logs does not grow significantly

If there is any question you would like to me address, drop me a mail or a comment.

Looking forward to your feedback

Roger