Novabackup unable to allocate the backup engine

World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Security Strategies in Windows Platforms and Applications, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal

mailto:info@jblearning.com
http://www.jblearning.com/
http://www.jblearning.com/
mailto:specialsales@jblearning.com
or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits Chief Executive Officer: Ty Field President: James Homer Chief Product Officer: Eduardo Moura SVP, Curriculum Solutions: Christopher Will Director of Sales, Curriculum Solutions: Randi Roger Senior Marketing Manager: Andrea DeFronzo Associate Marketing Manager: Kelly Thompson VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Manufacturing and Inventory Control Supervisor: Amy Bacus Editorial Management: High Stakes Writing, LLC, President: Lawrence J. Goodrich Senior Editor, HSW: Ruth Walker Associate Program Manager: Rainna Erikson Production Manager: Susan Schultz Composition: Gamut+Hue, LLC Cover Design: Kristin E. Parker Director of Photo Research and Permissions: Amy Wrynn Photo Research Coordinator: Joseph Veiga Cover Image: © HunThomas/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy

ISBN: 978-1-284-03165-2

Library of Congress Cataloging-in-Publication Data Not available at time of printing.

6048

Printed in the United States of America 17 16 15 14 13 10 9 8 7 6 5 4 3 2 1

http://dreamstime.com/
Contents

Preface Acknowledgments

PART ONE The Microsoft Windows Security Situation

CHAPTER 1

Microsoft Windows and the Threat Landscape

Information Systems Security

Tenets of Information Security: The C-I-A Triad

Confidentiality Integrity Availability

Mapping Microsoft Windows and Applications into a Typical IT Infrastructure

Windows Clients Windows Servers

Microsoft’s End-User License Agreement (EULA)

Windows Threats and Vulnerabilities

Anatomy of Microsoft Windows Vulnerabilities

Code Red SQL Slammer Conficker

Discovery-Analysis-Remediation Cycle

Discovery Analysis Remediation

Common Forms of Attack

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

CHAPTER 2

Security in the Microsoft Windows Operating System

Operating System Components and Architecture

The Kernel Operating System Components

Basic Windows Operating System Architecture

Windows Run Modes Kernel Mode User Mode

Access Controls and Authentication

Authentication Methods Access Control Methods

Security Access Tokens, Rights, and Permissions

Security Identifier Access Rules, Rights, and Permissions

Users, Groups, and Active Directory

Workgroups Active Directory

Windows Attack Surfaces and Mitigation

Multilayered Defense Mitigation

Fundamentals of Microsoft Windows Security Monitoring and Maintenance

Security Monitoring Identify Vulnerabilities

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

PART TWO

Managing and Maintaining Microsoft Windows Security

CHAPTER 3

Access Controls in Microsoft Windows

The Principle of Least Privilege

The Orange Book Least Privilege and LUAs

Rights and Permissions

Access Models: Identification, Authentication, Authorization, ACLs, and More

Windows Server 2012 Dynamic Access Control (DAC) User Account Control (UAC) Sharing SIDs and SATs Managed Service Accounts Kerberos NT LAN Manager

Windows Objects and Access Controls

Windows DACLs DACL Advanced Permissions

SIDs, GUIDs, and CLSIDs

Calculating Microsoft Windows Access Permissions

Auditing and Tracking Windows Access

Microsoft Windows Access Management Tools

Cacls.exe Icacls.exe Robocopy

Best Practices for Microsoft Windows Access Control

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

CHAPTER 4

Microsoft Windows Encryption Tools and Technologies

Encryption Methods Microsoft Windows Supports

Encrypting File System, BitLocker, and BitLocker To Go

Encrypting File System BitLocker BitLocker To Go

Enabling File-, Folder-, and Volume-Level Encryption

Enabling EFS Enabling BitLocker Enabling BitLocker To Go

Encryption in Communications

Encryption Protocols in Microsoft Windows

SSL/TLS Virtual Private Network Wireless Security

Microsoft Windows and Security Certificates

Public Key Infrastructure

Best Practices for Windows Encryption Techniques

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

CHAPTER 5

Protecting Microsoft Windows Against Malware

The Purpose of Malware

Types of Malware

Virus Worm Trojan Horse Rootkit Spyware Ransomware Malware Type Summary

Antivirus and Anti-Spyware Software

Antivirus Software Anti-Spyware Software

Importance of Updating Your Software

Maintaining a Malware-Free Environment

Scanning and Auditing Malware

Tools and Techniques for Removing Malware

Malware Prevention Best Practices

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

CHAPTER Group Policy Control in Microsoft

6 Windows

Group Policy and Group Policy Objects

Group Policy Settings GPO Linking

Making Group Policy Conform to Security Policy

Security Responsibility Security Policy and Group Policy Group Policy Targets

Types of GPOs in the Registry

Local Group Policy Editor GPOs in the Registry Editor

Types of GPOs in Active Directory

Group Policy Management Console GPOs on the Domain Controller

Designing, Deploying, and Tracking Group Policy Controls

GPO Application Order Security Filters GPO Windows Management Instrumentation (WMI) Filters Deploying Group Policy

Auditing and Managing Group Policy

Group Policy Inventory Analyzing the Effect of GPOs

Best Practices for Microsoft Windows Group Policy and Processes

Group Policy Design Guidelines

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7

Microsoft Windows Security Profile and Audit Tools

Profiling Microsoft Windows Security

Profiling Profiling Windows Computers

Microsoft Baseline Security Analyzer (MBSA)

MBSA GUI MBSA Command Line Interface

Shavlik Security Analyzers

NetChk Protect Limited NetChk Protect

Secunia Personal and Corporate Security Analyzers

Secunia Personal Scanners Secunia Corporate Products

Microsoft Windows Security Audit

Microsoft Windows Security Audit Tools

Best Practices for Microsoft Windows Security Audits

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

CHAPTER 8

Microsoft Windows Backup and Recovery Tools

Microsoft Windows Operating System (OS) and Application Backup and Recovery

The Need for Backups The Backup Process The Restore Process

Workstation, Server, Network, and Internet Backup Techniques

Workstation Backups Server Backups Network Backups Internet Backups

Microsoft Windows and Application Backup and Recovery in a Business Continuity Setting

Disaster Recovery Plan Business Continuity Plan Where a Restore Fits In

Microsoft Windows Backup and Restore Utility

Restoring with the Windows Backup and Restore Utility Restoring with the Windows Server 2008 Server Recovery Utility

Rebuilding Systems from Bare Metal

Managing Backups with Virtual Machines

Best Practices for Microsoft Windows Backup and Recovery

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

CHAPTER 9

Microsoft Windows Network Security

Network Security

Network Security Controls

Principles of Microsoft Windows Network Security

Common Network Components Connection Media Networking Devices Server Computers and Services Devices

Microsoft Windows Security Protocols and Services

Securing Microsoft Windows Environment Network Services

Service Updates Service Accounts Necessary Services

Securing Microsoft Windows Wireless Networking

Microsoft Windows Desktop Network Security

User Authorization and Authentication Malicious Software Protection

Outbound Traffic Filtering

Microsoft Windows Server Network Security

Authentication and Authorization Malicious Software Protection Network Traffic Filtering

Best Practices for Microsoft Windows Network Security

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10

Microsoft Windows Security Administration

Security Administration Overview

The Security Administration Cycle Security Administration Tasks

Maintaining the C-I-A Triad in the Microsoft Windows OS World

Maintaining Confidentiality Maintaining Integrity Maintaining Availability

Microsoft Windows OS Security Administration

Firewall Administration Performance Monitor Backup Administration

Operating System Service Pack Administration Group Policy Administration DACL Administration Encryption Administration Anti-Malware Software Administration

Ensuring Due Diligence and Regulatory Compliance

Due Diligence

The Need for Security Policies, Standards, Procedures, and Guidelines

Best Practices for Microsoft Windows OS Security Administration

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

PART THREE

Microsoft Windows OS and Application Security Trends and Directions

CHAPTER 11

Hardening the Microsoft Windows Operating System

Understanding the Hardening Process and Mindset

Strategies to Secure Windows Computers Install Only What You Need Security Configuration Wizard Manually Disabling and Removing Programs and

Services

Hardening Microsoft Windows Operating System Authentication

Hardening the Network Infrastructure

Securing Directory Information and Operations

Hardening Microsoft Windows OS Administration

Hardening Microsoft Servers and Client Computers

Hardening Server Computers Hardening Workstation Computers

Hardening Data Access and Controls

Hardening Communications and Remote Access

Authentication Servers VPNs and Encryption

Hardening PKI

User Security Training and Awareness

Best Practices for Hardening Microsoft Windows OS and Applications

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12

Microsoft Application Security

Principles of Microsoft Application Security

Common Application Software Attacks Hardening Applications

Securing Key Microsoft Client Applications

Web Browser E-mail Client Productivity Software File Transfer Software AppLocker

Securing Key Microsoft Server Applications

Web Server E-mail Server Database Server ERP Software Line of Business Software

Case Studies in Microsoft Application Security

Sporton International Monroe College Dow Corning

Best Practices for Securing Microsoft Windows Applications

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

CHAPTER 13

Microsoft Windows Incident Handling and Management

Understanding and Handling Security Incidents Involving Microsoft Windows OS and Applications

Formulating an Incident Response Plan

Plan Like a Pilot Plan for Anything That Could Cause Loss or Damage Build the SIRT Plan for Communication Plan Security Revision Procedures Plan Testing

Handling Incident Response

Preparation Identification Containment Eradication Recovery Lessons Learned

Incident Handling and Management Tools for Microsoft Windows and Applications

Investigating Microsoft Windows and Applications Incidents

Acquiring and Managing Incident Evidence

Types of Evidence Chain of Custody Evidence Collection Rules

Best Practices for Handling Microsoft Windows OS and

Applications Incidents and Investigations

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14

Microsoft Windows and the Security Life Cycle

Understanding System Life Cycle Phases

Agile Software Development

Managing Microsoft Windows OS and Application Software Security

Developing Secure Microsoft Windows OS and Application Software

Implementing, Evaluating, and Testing Microsoft Windows OS and Application Software Security

Maintaining the Security of Microsoft Windows OS and Application Software

Microsoft Windows OS and Application Software Revision, Change Management, and End-of-Life Phaseout

Software Development Areas of Difficulty Software Control Software Configuration Management (SCM)

Best Practices for Microsoft Windows and Application Software Development Security Investigations

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15

Best Practices for Microsoft Windows and Application Security

Basic Rules of Microsoft Windows OS and Application Security

Audit and Remediation Cycles

Security Policy Conformance Checks

Security Baseline Analysis

OS and Application Checks and Upkeep

Network Management Tools and Policies

Software Testing, Staging, and Deployment

Compliance/Currency Tests on Network Entry

Trends in Microsoft Windows OS and Application Security Management

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A

Answer Key

APPENDIX B

Standard Acronyms

Glossary of Key Terms

References

Index

Preface

Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information- security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Part 1 of this book focuses on new risks, threats, and vulnerabilities associated with the Microsoft Windows operating system. Particular emphasis is placed on Windows XP, Vista, 7, and 8 on the desktop, and Windows Server 2003, 2008, and 2012 versions. More than 90 percent of individuals, students, educators, businesses, organizations, and governments use Microsoft Windows, which has experienced frequent attacks against its well-publicized vulnerabilities. Part 2 emphasizes how to use tools and techniques to decrease risks arising from vulnerabilities in Microsoft Windows operating systems and applications. Part 3 provides a resource for readers and students desiring more information on Microsoft Windows OS hardening, application security, and incident management, among other issues.

http://www.jblearning.com/
Learning Features The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

Acknowledgments

I would like to thank Jones & Bartlett Learning for the opportunity to write this book and be a part of the Information Systems Security & Assurance Series. I would also like to thank K Rudolph, the book’s technical reviewer and liaison between me and Jones & Bartlett Learning. Your input really made this a better book. And thanks so much to Ed Tittel for getting me involved in the first place and Carole Jelen with Waterside Productions for working so hard to make this happen.

To God, who has richly blessed me in so many ways

About the Author MICHAEL G. SOLOMON (CISSP, PMP, CISM) is a full-time security speaker, consultant, and author, and a former university instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects for more than 100 major companies and organizations. From 1998 until 2001, he was an instructor in the Kennesaw State University Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Solomon holds an MS in mathematics and computer science from Emory University (1998), and a BS in computer science from Kennesaw State University (1987). He is currently pursuing a PhD in computer science and informatics at Emory University with a research focus on confidentiality assurance in untrusted cloud environments. He has also authored and contributed to various security books, including Security Strategies in Windows Platforms and Applications (Jones & Bartlett Learning, 2011), Auditing IT Infrastructures for Compliance (Jones & Bartlett Learning, 2011), and Computer Forensics JumpStart, 2nd Edition (Sybex, 2011). Solomon coauthored Information Security Illuminated (Jones and Bartlett, 2005), Security1 Lab Guide (Sybex, 2005), PMP ExamCram2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey’s CISSP Prep and PMP Prep e- Learning courses.

PART ONE

The Microsoft Windows Security Situation

CHAPTER 1 Microsoft Windows and the Threat Landscape

CHAPTER 2 Security in the Microsoft Windows Operating System

CHAPTER 1

Microsoft Windows and the Threat Landscape

MICROSOFT WINDOWS is the most common operating system used today. More than 90 percent of computers use a Windows operating system. Microsoft provides operating system software for a wide variety of solutions, including both client and server computers. The latest Windows releases for server environments provide the most advanced features of the Windows product line.

Those releases contain new and updated security features. Each year brings new and unique threats to violate a system’s security. Whether the goal is to crash a system, access information without authorization, or disrupt normal system operation, attackers are finding much vulnerability to exploit.

It is important to understand the threats to Windows system security and the steps to protect it from attackers. The first step to creating and maintaining a secure environment is learning how to find and mitigate vulnerabilities and how to protect your systems.

Chapter 1 Topics

This chapter covers the following topics and concepts: • What information systems security is • What the tenets of information security are: the Confidentiality-

Integrity-Availability (C-I-A) triad

• What mapping Microsoft Windows and applications into a typical IT infrastructure is

• What Microsoft’s End-User License Agreement (EULA) and limitations of liability are

• What common Windows threats and vulnerabilities are • What Microsoft Windows vulnerabilities are, including Code Red,

Conficker, and SQL Slammer • What the discovery-analysis-remediation cycle is • What common forms of attack on Windows environments are

Chapter 1 Goals

When you complete this chapter, you will be able to: • Review key concepts and terms associated with information

systems security • Discuss the tenets of information security: C-I-A triad • Explain how Microsoft Windows and applications map to a typical

IT infrastructure • List the main objectives of the Microsoft EULA • Describe the limitations of liability in the Microsoft EULA • Categorize Windows threats and vulnerabilities • Recognize the anatomy of common Microsoft Windows

vulnerabilities • Summarize the discovery-analysis-remediation cycle • Analyze common methods of attack • Discuss emerging methods of attack

Information Systems Security As computers become more complex, attackers become more sophisticated. Attackers are continually crafting new methods to defeat the most secure environments. The job of the security professional is becoming more

difficult because of the complexity of systems and attacks. No single action, rule, or device can protect an information system from all attacks. It takes a collection of strategies to make a computer environment safe. This approach to using a collection of strategies is often called defense in depth. To maintain secure systems, it is important to understand how environments are attacked and how computer systems and networks can be protected. The focus here is specifically on securing the family of Microsoft Windows operating systems and applications.

The main goal in information security is to prevent loss. Today’s information is most commonly stored in electronic form on computers, also referred to as information systems. Although printed information, or hard copy, needs to be protected, this text addresses only issues related to protecting electronic information stored on information systems.

The two goals of protecting information from unauthorized use and making the information available for authorized use are completely separate and often require different strategies. Ensuring information is readily available and accessible for authorized use makes restricting the data from unauthorized use more difficult. Most information security decisions require careful thought to ensure balance between security and usability. Information that is secure is simply serving the purpose for which it is intended. It is not being used for unintended purposes.

Mechanisms used to protect information are called security controls. Security controls can be part of the operating system or application software setup, part of a written policy, or a physical device that limits access to a resource. There are two methods of categorizing controls. These aren’t the only methods used to classify controls and a single control may fit into more than one category. The first method looks at what the control is. Security controls belong to at least one of the following types:

• Administrative controls are written policies, procedures, guidelines, regulations, laws, and rules of any kind.

• Technical controls are devices or processes that limit access to resources. Examples include user authentication, antivirus software, and firewalls. Technical controls are also called logical controls.

• Physical controls are devices that limit access or otherwise protect a resource, such as fences, doors, locks, and fire extinguishers.

Security controls can also be categorized by the type of function they perform—also referred to as what they do. Here are the most common types of security control function types:

• Preventive controls prevent an action. Preventive controls include locked doors, firewall rules, and user passwords.

• Detective controls detect that an action has occurred. Detective controls include smoke detectors, log monitors, and system audits.

• Corrective controls repair the effects of damage from an attack. Corrective controls include virus removal procedures, firewall table updates, and user authorization database updates.

Tenets of Information Security: The C-I-A Triad The practice of securing information involves ensuring three main attributes of information. These three attributes are often called the tenets of information security, or the C-I-A triad. Some security professionals may refer to it as the A-I-C triad, but the concept is the same. The three tenets of information security are:

FIGURE 1-1 The C-I-A triad.

• Confidentiality—The assurance that the information cannot be accessed or viewed by unauthorized users is confidentiality.

• Integrity—The assurance that the information cannot be changed by unauthorized users is integrity.

• Availability—The assurance that the information is available to authorized users in an acceptable time frame when the information is requested is availability.

Each of the tenets interacts with the other two, and in some cases, may cause conflict with other tenets (Figure 1-1). In this section, you will look at each tenet in more detail and how each one may cause conflicts with the others.

Confidentiality In some cases, it is not enough to ensure information is protected from changes. Some information is private, privileged, business confidential, or classified and must be protected from unauthorized access of any type. Part of the value of confidential information is that it is available only to a limited number of authorized users. Some examples of confidential information include financial information, either personal or corporate; personal medical information; and secret military plans.

Confidentiality also introduces a need for an additional layer of protection. Sometimes, it is necessary to limit users with access to many resources by only allowing them to access specific resources on a need-to- know (NTK) basis. For example, a manager may have access to project documents that contain sensitive information. To limit the damage that could occur from accidents or errors, it is common to limit access to documents that directly relate to the manager’s projects only. Documents that do not directly relate to the manager’s projects are not accessible. That means that although a user possesses sufficient access for a resource, if the user does not have a specific need to know what a resource stores, the user still cannot access it.

A successful attack against confidential information enables the attacker to use the information to gain an inappropriate advantage or to extort compensation through threats to divulge the information.

Confidentiality has long been the subject of many types of legislation. Legislative bodies in many countries have enacted laws and regulations to protect the confidentiality of personal medical and financial information.

Attorneys and physicians have long enjoyed the privilege of confidentiality when conversing with clients and patients. This assurance of confidentiality is crucial to the free flow of necessary information.

Integrity Information is valid only when it is correct and can be trusted. The second tenet of information security ensures that information can be modified only by authorized users. Ensuring integrity means applying controls that prohibit unauthorized changes to information. Controls that ensure information integrity can be based on the user’s role. Other examples of integrity controls are security classification and user clearance.

Since information may change as a result of application software instructions, it is important that controls ensuring integrity extend to the application software development process. Regardless of the specific controls in use, the goal of integrity is to protect information from unauthorized changes.

Availability Secure information is serving the purpose for which it was created. This means that secure information must be available when the information is requested.

Many attacks focus on denying the availability of information. One common type of attack that denies the availability of information is the denial of service (DoS) attack. This type of attack does not need to actually access or modify information. It prevents authorized users from accessing it. For example, an attack that denies access to Amazon.com’s Web-based information would have a negative impact on sales. Amazon can’t afford to allow its information to be inaccessible for any length of time. Since so many businesses rely on available information to function properly, unavailable information poses a risk to the primary business functions.

Over a period of several months, from September 2012 to February 2013, a group of activists with hacking abilities, called hactivists, launched a series of attacks against several major U.S. bank computer systems. Hacktivists are behind more and more large-scale attacks, the intent of which is generally to bring attention to some political or social issue. The

http://amazon.com/
targets of these attacks included U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services, and SunTrust Banks. Some customers were frustrated due to slow bank Web sites, while others were unable to reach their banks online at all. The banks learned from the attacks of this period and added new controls, but the hacktivists continued to find new vulnerabilities.

Mapping Microsoft Windows and Applications into a Typical IT Infrastructure Satisfying the C-I-A triad requires more than just implementing controls on a single system. Today’s IT environments consist of a collection of computers and network devices connected to one or more networks. The collection of all computers, devices, and network components that make up an IT environment is called an IT infrastructure. An IT infrastructure diagram depicts the various components that work together to satisfy the organization’s information processing requirements (Figure 1-2). Some common infrastructure components include:

• Client platforms • Network segments • Network devices • Server instances (often listed by function)

In most environments, the Microsoft Windows family of operating systems fills both the roles of client and server. Windows systems can operate as network devices, such as gateways or routers. It is more common to see either purpose-built devices or Windows servers providing device services. This text will focus on the client and server roles of Windows.

FIGURE 1-2 A sample IT infrastructure.

Windows Clients Client systems exist to provide functionality to end users. These systems are often called customer-facing systems. Each specific application can be deployed as either a thin or a thick client.

Thin clients collect information from end users, send it to a server for processing, and display the returned results back to the end user. Most of the actual processing of the information occurs on a server. One of the most common examples of a thin client application is a Web browser.

Thick clients collect information from the end user and process some, or all, of the information locally. Commonly, the information is stored in a database running on a server. The client handles a large amount of the information processing work. Examples of thick client applications are legacy enterprise applications that provide accounting and manufacturing control.

The most common Windows operating systems in use on client computers are:

• Windows XP • Windows Vista • Windows 7

• Windows 8 (the newest Windows client)

Windows client computers are often general-purpose computers that provide end user applications for various purposes. It is common for a single Windows client computer to have a Web browser, an e-mail client, and an office productivity suite, as well as proprietary application software installed. Client computers are rarely single-purpose devices. This multirole functionality often makes securing these computers more difficult.

The newest version of Windows, Windows 8, recognizes that all clients are not just typical computers. Windows 8 introduces a new user interface that works well on desktops, laptops, and mobile devices. Tablet devices and smartphones are very popular, and Microsoft has responded with Windows 8. Windows 8 may look different, but the strategies to keep it secure are very similar to those of other Windows clients.

Windows Servers Server computers exist in the IT infrastructure to provide specific types of services to client applications, either directly or indirectly. Common server applications may include Web servers, application servers, and database servers. Microsoft provides several different server products to satisfy various needs. In each version, it is common to tailor the specific applications installed on the server to customize the services provided. Microsoft markets several server packages; all based on the following Windows server products:

• Windows Server 2003—Many existing installations are still in operation.

• Windows Server 2008 R2—Currently the most common Windows operating system for servers, this server product is available in several editions for different applications. The main differences among editions are the number of processors, the amount of memory, and the high- availability features supported. • Foundation—Cost-effective, entry-level server for small businesses • Standard—More features than the Foundation edition and supports

more common server functions for medium-sized businesses

• Enterprise—Advanced server for more performance and reliability than Standard edition

• Datacenter—Optimized for large-scale deployment using virtualization on small and large servers

• Web—Optimized Web application and services platform • HPC—Windows High Performance Computing server for extensive

scalability and interoperability between servers • Itanium—Windows server specifically designed for the Intel Itanium

high-performance processor • Windows Server 2012—This server product is the latest server product

available, in four different editions. • Foundation—Cost-effective, entry-level server for small businesses • Essentials—More features than the Foundation edition for most small

to medium-sized businesses • Standard—Suitable for most server functions, along with limited

virtualization ability • Datacenter—Designed for large-scale deployment on servers that

support extensive virtualization

Microsoft’s End-User License Agreement (EULA) A software license agreement must be accepted prior to the installation of any Microsoft Windows product. The software license agreement contains the Microsoft Software License Terms and is also referred to as the End- User License Agreement (EULA). It is important to read the EULA before accepting it—don’t just blindly choose the “I accept” option. Each edition of Windows ships with a specific version of the EULA, so it is important to know the contents of the EULA for each edition of Windows present in your environment.

The Windows install folder or the Microsoft Web site contains the EULA. To find the EULA on a computer with Windows currently installed:

1. Click the Start button, and then, in the Start menu, click My Computer. 2. Under Hard Disk Drives, double-click the drive where Windows is

installed. This is often the drive labeled (C:).

3. Double-click the Windows folder, double-click the System32 folder, double-click the en-US folder, double-click the Licenses folder, and then double-click the _Default folder.

4. Double-click the folder that corresponds to the edition of Windows that’s installed on your computer, and then double-click License.

To find the EULA for any edition of Windows:

1. Open a Web browser, such as Internet Explorer. 2. Enter the following address:

http://www.microsoft.com/about/legal/useterms/. 3. Enter the requested information for:

a. How the software was acquired b. Product Name c. Version d. Language

4. Select the link for the desired EULA document.

There are a few sections of the Windows EULA that are of interest to security personnel. Make sure you read the following sections fully and are prepared to agree with Microsoft’s statements before accepting the agreement. Table 1-1 highlights the sections of the EULA that are of most interest to security personnel.

In summary, the EULA states that it is your responsibility to secure all Windows platforms.

Windows Threats and Vulnerabilities Securing any platform requires an understanding of its capability and the most likely ways the platform can be compromised. Simply understanding everything about Windows will not make your systems secure. The main goal in securing an operating system and application environment is recognizing risks and implementing controls to mitigate the risks. In this section, you will look at risks and how to handle them.

http://www.microsoft.com/about/legal/useterms/
A risk is defined as any exposure to a threat. A threat is any action that could lead to damage, disruption, or loss. A threat by itself is not necessarily dangerous. For example, lighting a fire could be considered a threat. In the right environment, such as on a camping trip or in a fireplace, lighting a fire is desirable. However, lighting a fire in an operational datacenter is not desirable at all. Such an action will likely result in business process disruption and possibly even damage.

For damage to occur, there has to be a threat, such as lighting a fire, in a vulnerable environment, such as in a datacenter. Attackers look for vulnerabilities, or weaknesses, in the operating system and application software. Once vulnerabilities are discovered, the next step is to devise an attack that will exploit the weakness. A successful attack is defined as one that realizes, or carries out, a threat against vulnerabilities.

It is important to understand the most common methods of attack in a Windows environment. This understanding allows you to devise controls that limit an attacker’s ability to realize threats. The controls you implement can directly address vulnerabilities or restrict an attacker’s ability to get into a position to realize a threat. Either way, by breaking the ability of an attacker to carry out a threat against a vulnerability, you make your environment more secure.

TABLE 1-1 Security-related sections of the Microsoft EULA.

EULA SECTION DESCRIPTION

Potentially unwanted software

Windows Defender is a program that will search for and, optionally, remove spyware and other unwanted software. If turned on, Windows Defender may identify software as harmful and automatically remove it. This behavior may result in the removal of software that is necessary to proper system operation.

Internet-based services

Microsoft provides Internet-based services with Windows and may transmit information. This section of the EULA provides details of services and potential information that may be

transmitted, i.e., system detail information resulting from a crashed program. Windows will optionally send information to Microsoft in an effort to find a resolution for the problem that caused the program to crash.

Limitation and exclusion of damages

Only the purchase price of Windows can be recovered, regardless of any damages incurred as a result of a Windows fault or incident. This clause alone provides an excellent reason for security personnel to protect organizations by securing all Windows environments.

Exclusions from warranty

The cost of a Windows license cannot be recovered if an organization suffers damages caused by its personnel.

Limitation and exclusion of damages for breach of warranty

If any part of the EULA is breached, damages cannot be recovered.

Anatomy of Microsoft Windows Vulnerabilities Consider a few well-known Windows vulnerabilities. It is instructive to examine how real vulnerabilities have been exploited by attackers. Such analysis helps to understand the nature of vulnerabilities and methods of protecting systems from attackers. All of the following attacks used worms. Worms are standalone malicious software programs that actively transmit themselves, generally over networks, to infect other computers.

Code Red The Code Red worm provides a sobering warning on how to secure Windows environments. The worm was first observed on July 13, 2001, as

malicious software that attacked Microsoft Internet Information Services (IIS) Web server software. Once a vulnerable IIS system was attacked, Code Red would do the following:

• Deface Web sites with the phrase “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”

• Attempt to spread the worm to additional Web servers • Wait 20–27 days and launch DoS attacks against specific IP addresses

The worm attacked a vulnerability of IIS by creating a buffer overflow. A buffer overflow is a vulnerability where data is supplied that is larger than the program expects—but the program accepts it anyway. In some cases, specially designed data can cause the program to execute instructions that were never intended. Buffer overflow vulnerabilities are well known, but still exist in software due to a lack of solid design and testing. This buffer overflow allowed Code Red to cause instructions to execute that would produce the desired worm behavior.

The most interesting aspect of Code Red is that a successful attack depended on a vulnerability for which a patch had been released over a month before Code Red appeared. Systems with the patch applied were not vulnerable to the attack. It’s ironic that it appears that the Code Red designers may have learned about the vulnerability from the patch documentation.

SQL Slammer The SQL Slammer worm was another famous worm to exploit well-known buffer overflow vulnerability. SQL Slammer first appeared on January 25, 2003, and spread rapidly. The worm exploited a bug in Microsoft’s SQL Server and Desktop Engine database products.

SQL Slammer is a very small, simple worm. It is only 376 bytes and fits into a single network packet. Since the worm uses User Datagram Protocol (UDP), it can propagate to a large number of other computers quickly without maintaining a connection. To make matters worse, the Desktop Engine product is installed on many client computers as a supporting service and many users do not even know it is there. The transparent nature of the Desktop Engine meant that most of the instances were unprotected.

http://www.worm.com/
When the SQL Slammer worm runs on a vulnerable computer, it creates a list of IP addresses and quickly sends itself to the target computers. This process is very fast and can result in a large number of network packets in a network. This large concentration of UDP packets generated as more and more computers are infected causes routers to slow down or even crash under the load. This saturation of routers is a denial of service (DoS) attack on network resources.

Similar to its response to the Code Red worm, Microsoft had released a patch for the vulnerability SQL Slammer exploited six months prior to the first detection of the worm.

WARNING Computers with the patch applied were not vulnerable to SQL Slammer, but could still be affected if other computers on the same network were vulnerable and attacked.

Conficker Conficker, also known as Downadup, is another worm that targets Microsoft Windows computers. Conficker is the newest worm of the three, first observed in November 2008. There are at least five variants of Conficker. Each successive variant is more sophisticated than the previous one.

The initial Conficker attack depended on a network service vulnerability. This vulnerability allowed the worm to infect systems and spread throughout the local network to other trusted computers. Microsoft released an emergency patch to address the initial vulnerability, but Conficker had already been updated to propagate using removable media as well as networks. Conficker does not employ new or unknown attack methods. The methods Conficker uses are largely well known. Conficker is unique because it combines many aggressive techniques in a manner that makes it very difficult to eradicate.