The 10 Most Dangerous Risks to Microsoft Security

Expert Reference Series of White Papers
The 10 Most
Dangerous Risks to
Microsoft Security
1-800-COURSES www.globalknowledge.comThe 10 Most Dangerous Risks to
Microsoft Security
Royce Howard, MCSA, MSCE, MCITP-Server Admin, Enterprise Administrator
IntroductionSecurity has always been an important part of any IT infrastructure. As technology progresses, it's a safe bet that there will always be people who will try to infiltrate your network to do their malicious deeds. As security technology improves, so do the skills of these notorious hackers. But what can we do to protect ourselves from these threats? This white paper has tips to help improve your awareness of some of the more important risks threatening your Microsoft infrastructure.
1. Physical AttacksLet's start with the most basic attack. A physical attack on a computer can be a daunting thing. Suppose some-one actually has physical access to a machine, and they wish to obtain data from it. With heightened awareness of password security, things are a little better. However a determined hacker can easily get to information that is stored on a machine whether it be a stand-alone client or a full-blown domain controller. Some obvious best practices include making sure that no one has physical access to any of your servers. Hopefully, most organiza-tions running a back-end SAN will have whatever room the servers are located in under lock and key. Physical attacks can also include an attacker coming in with an external hardware device like a usb drive and infiltrating a system that way.
Thankfully, Microsoft has supplied us with group policy settings so we can set a policy in place that prohibits the use of any type of external storage device. With the advent of Microsoft Server 2008, Microsoft has also given us Read Only Domain Controllers (RODC), and this helps tremendously as far as networks are concerned. Be-cause of the unilateral replication, if any of the structure is changed or manipulated, it ensures that the changes won't be replicated out to the rest of the network, not to mention the choice of which account credentials will be cached.
We were also given the new BitLocker feature to help protect sensitive data. BitLocker Drive Encryption is a full disk encryption feature included with Vista Ultimate and Enterprise as well as the new Windows 7 and Server 2008. It's designed to protect data by providing encryption for entire volumes. It uses the AES encryption algorithm in CBC mode with a 128 bit key. However, as with anything else in terms of security, hackers found a work-around.
Back in February of 2008, a straightforward cold boot attack was discovered. This basically allows a machine that is protected by BitLocker to be compromised by booting the machine off of a USB device into another OS
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2and then dumping the contents of the pre-boot memory. The attack relies on the fact that DRAM retains infor-mation for up to several minutes after the power has been removed. If cooled, it can buy the attacker even more time. This takes away any protection because the keys are held in memory while Windows is running. BitLocker can also operate in a sort of "USB Key" only mode. Of course, anyone using this method better be sure that the key is never left with the computer. There is also the possibility that a malicious program, like a pre-boot or post-boot malware program, could read the startup key off of the USB key and store it. It's always a good idea to remove the USB key from the USB port before Vista completely starts.
2. Password PoliciesWhen talking about password policies, we often think of complexity requirements. This can include number of characters, type of characters (letters, upper-case, lower-case, numbers, and special characters), how often the password should be changed, and failure threshholds. Any password policies not using Kerberos are using NTLanman, which uses 56-bit DES encryption, and that's really weak. Unless you happen to be running any NT boxes in your network, you can rest easy knowing that Kerberos authentication, with it's Advanced Encryption Standard (AES), is at work for you. However, one thing that can often be overlooked is that any password that is less than 15 characters long is automatically stored in backup with an NTLanman backup hashfile.
Taking t... [download for more]