Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Transcription

1 Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003

2 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3 Assumptions...4 Findings and Recommendations...6 Conclusion...10 About Foundstone...11 Resources Foundstone, Inc. All Rights Reserved - 2

3 Introduction This paper presents an overview of the security assessment of Microsoft s System Architecture (MSA) 2.0 performed by Foundstone. The assessment entailed a detailed review of the appropriate documentation, interviews with key personnel and a penetration test of a pilot deployment to ensure that the architecture enforced a strong security posture. The goal of the exercise was to identify significant strengths and issues of concern both from an architectural and deployment perspective. Foundstone conducted the assessment in October 2003 in accordance with their comprehensive architecturereview methodology that employs an array of security penetration techniques and commercial-grade stress testing and monitoring. Foundstone s analysis showed that the MSA 2.0 architecture is in unison with the defense-in-depth principle of security, and is an in-depth reference for secure enterprise-network deployment using Microsoft technologies. Scope and Approach Foundstone analyzed the security framework of the MSA 2.0 architecture through design review and technical analysis of the framework as it was implemented in Microsoft s pilot laboratory environment. The following areas were examined: Documentation of Microsoft Systems Architecture 2.0 MSA Build Guide 2.0 MSA Planning Guide 2.0 MSA Operations Guide 2.0 MSA Deployment Kit 2.0 Reference Architecture Kit version 2.0 Implementation Kit versions 2.0 Pilot Deployment Security posture of Internet-facing MSA environment Logical controls to segment network zones Configurations of component servers and network devices Potential threat vectors to environment Foundstone s testing approach consisted of interviews with MSA development staff, design reviews, and technical analysis. Key design features and assumptions were documented, tested, and analyzed Foundstone, Inc. All Rights Reserved - 3

4 The pilot deployment consisted of a full array of servers including DHCP, Database, Active Directory, Management, Web, WINS, DNS, Proxy, VPN, Backup, Print, DFS, Deployment, Storage Management, and Firewall servers. These servers were configured in a multi-tier environment, including Boarder, Perimeter, and Internal network zones. The few protocols that were available from the Internet consisted primarily of http and https Web services. From the Perimeter network, only services that were required to operate the business were explicitly allowed, including Web (http and https) and DNS (53). This deployment simulated a real-world enterprise environment which included servers, various protocols, and the diversity of platforms found in large modern companies. The guidelines in the MSA 2.0 documentation allow for scaling to smaller environments while still following the underlying principles of defense in-depth. Foundstone approached the review with standardized test methodologies to review the pilot deployment. This approach focused on real-world vulnerabilities and exploits applied against varying attack vectors. Multiprotocol discovery and vulnerability scans were utilized from various zones within the MSA to test the adequacy of ingress and egress network controls. Foundstone utilized Foundstone Enterprise, a vulnerability analysis and remediation software package during this testing phase. Foundstone also reviewed the configuration of servers and network devices to determine the appropriateness of host-based controls and security features such as auditing, logging, and host-based access. Assumptions Foundstone identified areas that require additional attention to ensure against negligence during the deployment process. Due to the existence of other Microsoft guidance, the following topics are outside of the scope of the MSA guidance. Although the architecture is believed to impart a sound security posture to an implementation in accordance with it, Foundstone and Microsoft believe that consideration and deployment of the followings technologies is important. Anti-Virus Software Development Anti-virus software deployment serves not only to protect the subject machines against virus and worm outbreaks, but also makes an attacker s task of uploading malicious executables extremely arduous. This further reinforces the compliance to a defense-in-depth approach to security. Patch Management Solutions and their Significance Effective patch management solutions such as Microsoft s Software Update Service (SUS) are addressed in the Microsoft Solution for Management (MSM). Hence, Patch Management is not addressed in the MSA guidance. Patch management is fundamental for an organization to keep up-to-date on security patches and hot fixes. Patch management also helps ensure that critical servers are not compromised by exploitation of well-known vulnerabilities Foundstone, Inc. All Rights Reserved - 4

5 Use of IPsec Encryption between Critical Servers As discussed earlier, confidentiality is one of the three primary tenets of security. Foundstone recommended that due importance be given to the maintenance of confidentiality of data passing between critical servers (e.g., between a Web server and database) and appropriate solutions to achieve it (viz. IPSec encryption). IPSec encryption is discussed in the Security Architecture documentation as a mechanism to mitigate the impact of packet sniffing on the network. Un-Patched Internal Servers The Microsoft lab being assessed was updated with patches up to a specific date for testing purposes. Patches released after that date were not applied. This allowed Foundstone to attempt several exploits against vulnerabilities that were not patched, providing an accurate simulation of an un-patched or inadequately patched environment a common scenario. Attempts to exploit these vulnerabilities, however, were in vain due to appropriate application-level access controls in the form of an ISA server between the attacker's machine and the victim. This re-enforced the defense-in-depth strategy recommended by the MSA 2.0 architecture documentation. Secure Configuration of Wireless Deployments Wireless technologies are being deployed as a last-hop solution in corporate environments at an everincreasing rate. Wireless networking implementation was not covered in the current MSA release. However, this topic was covered to some extent in the Microsoft Solutions for Security Securing Wireless Networking guide Foundstone, Inc. All Rights Reserved - 5

6 Findings and Recommendations Following interviews, the documentation review, and laboratory testing, Foundstone presented the results and recommendations to Microsoft s System Architecture team. Documentation and Architecture Foundstone believes that the extensive coverage of the following subjects in the documentation and design will contribute to a strong security posture when appropriately applied. The following areas are highlighted requirements within the Microsoft Systems Architecture 2.0 documentation: Findings Segregation of the Network into Pertinent Zones Segregation of the network into security zones not only facilitates the implementation of mitigation strategies through aggregation but also limits the influence of an attacker in case of a compromise. Hardening of Servers at the Host Level Hardening at the host level ensures against extensive compromise of the entire environment, even in the event of circumvention of the firewall rule sets. This step entails running minimal services on the host, implementing appropriate password complexity requirements, and setting appropriate registry settings to prevent unauthorized access to the machine over the network. Encryption Mechanisms Implementation of strong encryption mechanisms protects the confidentiality of critical data traversing the network by making it undecipherable to packet sniffers. This is of paramount importance in maintaining confidentiality one of the three tenets of security, along with integrity and availability. Application Level Security Enhancements Application level attacks are transparent to conventional firewalls. Thus, additional inspection of layer-7 data is necessary to prevent the acceptance of malicious URLs which may result in system or data compromise. The documentation stresses this fact through the discussion of HTML filters. Physical Security Mechanisms for Critical Servers Physical security is an often-neglected aspect of IT security. However, it is a vital component of a secure implementation. The overall security posture of the network can be severely undermined by an attacker gaining unauthorized physical access to critical servers. Emphasis on Defense-in-depth The documentation appropriately emphasizes conformance to the defense-in-depth principle, to ensure that a single compromise due to potential zero-day vulnerabilities does not allow the attacker to expand his or her influence throughout the environment. This is achieved by implementing multiple layers of security mechanisms at the host, network, data, and application layers to ensure a safe fail throughout the network Foundstone, Inc. All Rights Reserved - 6

7 Establishment of a Risk Assessment Process The risk assessment process has been given due significance in the documentation. A well-defined risk assessment process ensures that all threats to the environment have been identified and that the consequential risks have been accepted, rejected, or mitigated. The continuity of the process also ensures that the security posture of the environment is maintained at a high level, despite the advent of new threats. Recommendations Although an implementation in accordance with the described architecture may impart a sound security posture, Foundstone identified areas that could be further emphasized in the documentation to ensure against negligence through the deployment process. Additional attention to these topics will aide in creating a more secure infrastructure. The following list describes these topics: Use of IPsec Host-Based Filtering on Key Infrastructure Components Although the DMZ domain controllers were on a physically separate network segment than the front-side of the multi-homed, Internet-connected servers, Foundstone still recommended utilizing the additional protection that IPsec host-based port filters provide. This helps protect the components against unauthorized access in case other elements in the DMZ are compromised. Centralized logging mechanisms to effectively support intrusion detection Intrusion detection can by facilitated through the implementation of centralized logging mechanisms. Centralized logs not only sufficiently mitigate the deletion of security logs by a potential attacker but also greatly simplify the correlation process to effectively detect an intrusion at the earliest possible moment. Ethernet Port Security The MSA 2.0 architecture addresses packet sniffers as a potential intrusion threat, and it references various techniques to limit the effects of sniffing with malicious intent. These techniques include the use of strong authentication, a switched infrastructure, anti-sniffing technology, and cryptography to good effect. However, the architecture does not cover the subject of binding Ethernet ports to specific MAC addresses to limit sniffing in a switched environment through ARP spoofing. Foundstone believes that this topic requires more coverage as an anti-sniffing measure that can be easily deployed by most organizations. Penetration Test Foundstone performed the penetration test, both from the perspective of an anonymous Internet surfer with malicious intent, and an attacker who had gained access to the DMZ and was attempting to expand his influence and penetrate into the internal corporate network Foundstone, Inc. All Rights Reserved - 7

8 Findings The pilot deployment implemented in accordance with the underlying principles of the MSA 2.0 reference architecture was found to be sound from a security standpoint. Foundstone identified the following significant strengths in the deployment: Minimal Exposure of Services to the Internet Ports scanning the infrastructure deployed in accordance with the MSA 2.0 reference architecture revealed that only necessary services, defined in this case as HTTP (port 80), HTTPS (port 443), and DNS (port 53) on select servers, were accessible from the Internet,. Foundstone considered this to be a positive result from following the MSA 2.0 design, as exposure of additional (potentially unnecessary) services to the Internet may have provided an attacker with additional entry points into the DMZ. Out-of-Band Management Channel The deployment used a physically-separate network to transmit management traffic. This is a recommended practice to prevent the sniffing and/or alteration of critical management data including administrative credentials. Foundstone considered this to be a positive result from following the MSA 2.0 design. Secure Configuration of Web Servers and their Underlying Operating Systems In general, the Web servers and their underlying operating systems were found to be deployed following Microsoft s recommended build documents. They were also identified as up-to-date on security patches and hot fixes at the time the documentation was created. This mitigates the risk of a script kiddie or worm from gaining access to the server through the exploitation of an existent well-known vulnerability. Foundstone also considered this a positive result from following the MSA 2.0 design. Sound Configuration of Application-Layer Firewalls The external firewall protecting the DMZ from the Internet and the internal firewall protecting back-end databases from the DMZ servers were found to be properly configured and deployed. This prevented any attempts of unauthorized access against these critical infrastructure components. Foundstone also considered this to be a positive result from following the MSA 2.0 design. In addition, application firewall features were enabled at the perimeter; adding an even deeper level of security at the critical border between the public Internet and the enterprise DMZ. Recommendations Foundstone did identify some minor issues of concern. These issues were not considered a serious risk to the environment as they could not be successfully exploited to gain unauthorized access to any component of the infrastructure. These issues include the following: Web Servers Support Export Grade (weak) SSL Ciphers Web servers in the DMZ were found to be compatible to export grade (40 bit) SSL ciphers Foundstone, Inc. All Rights Reserved - 8

9 Foundstone recommended the use of 128-bit ciphers only, as they alone are considered adequate to prevent against the exposure of encrypted data. To overcome limitations imposed on the export of cryptography, Foundstone recommended referring to Microsoft s Server Gated Cryptography (SGC) technology. Foundstone also recommended that this issue be given due importance in the MSA 2.0 architecture documentation. Inconsistent Permission of ICMP from the Internet into the DMZ Permitting the use of the Internet Control Message Protocol (ICMP) on the network can provide an attacker with the means of launching a denial-of-service attack against critical day-to-day business operations. It can also be leveraged as an effective covert channel. Foundstone recommended that ICMP packets be disallowed by periphery firewalls. Though the deployment under review did abide by this policy, the denial of ICMP packets was not consistent and comprehensive Foundstone, Inc. All Rights Reserved - 9

10 Conclusion Foundstone concluded that the MSA 2.0 architecture emphasized the defense-in-depth principle of security through every step of the implementation and documentation. This can be attributed to the appropriate emphasis on segmentation of infrastructure components coupled with the extensive incorporation of accesscontrol mechanisms at appropriate places in the environment. The significance of this conformance was highlighted by the minimal impact of the high-risk buffer overflow vulnerability discovered on several servers within the internal network. Without these controls in place, the test may have resulted in the complete compromise of several critical servers. Foundstone also identified several areas requiring further emphasis to enhance the security posture imparted by the architecture. These include: patch management, IPsec filtering and encryption, anti-virus software deployment, and intrusion detection. Most of these issues can be addressed by reading the documentation referenced on several of these topics earlier in this paper. On the whole, Foundstone believes that the MSA 2.0 architecture is an excellent reference for secure enterprise network deployment providing sufficient flexibility to adapt to varying business needs and sizes Foundstone, Inc. All Rights Reserved - 10

11 About Foundstone Foundstone Inc., experts in strategic security, offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company has one of the most dominant security talent pools ever assembled, and has authored ten books, including the best seller Hacking Exposed. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, D.C., and Seattle. For more information about Foundstone and Foundstone Enterprise Risk Solutions, visit or call FOUND within the U.S, and outside the U.S Foundstone, Inc. All Rights Reserved - 11

12 Resources Foundstone MSA Microsoft Patch Management IPsec Encryption Services Foundstone, Inc. All Rights Reserved - 12