Server Security

Technologies
(not Dr.) Fred Baumhardt
Security Technology Architect
Microsoft Incubation
fred@microsoft.com
Server Security
•How not to do it

This is not
the way to
protect
your front
perimeter
or edge
Infrastructure Security

Architecture Security
 Root Causes
•Infrastructure Architecture

• Enterprise organically grown under “Project”

context
• Security was Secondary – vendors no best
practice
• Internal
ClassicNetwork
Security wide open – everything to
Perimeter Unmanaged
everything Unpatched Internet
Some Core Systems Extranets
• 0 day undefended – patch is the solution

Internet Systems
Project 1…n System

Branch Offices

Departments

This will
Save
Security Rules
•The Biology of Security

Worms are Anonymous

Authenticate – they
Traffic – Stops don’t
foreign
carry your password database….
Infection

Pathogens Break
Enforce Protocol protocol
Rules at therules – you
Network
wrote a buffer for 72 characters –
Device – things that
attacker sent you 182
break are dropped

Don’t process traffic that you didn’t ask for,

Worms send clients something they
understand
didn’t protocols and know what to
ask for
expect
Server Auth
•Auth at all levels

P
Mobile SS L DA
LT ), DC/GC
UN e r os
NE Ker b
L ,
HT
TP PC
B AS (R
I C, er os
C er rb
t if ic
ate , Ke
s, L LM
im it
ed NT )
VPN
N T L M , Ker beros
col, (
al l C l ie nt Pr ot o Internal Clients
s), Sec ID Firew
ul l F orm s , B AS IC, VPN(all ty pe RA
F DI
US
s
ll Form (U1
81
Fu 2-1
ic ates , 3D
if
Cert e fa
ul t
)
Firewall

DNS, HTTP(S), SMTP, FTP, RPC,

External Clients POP3, IMAP4, LDAP, IKE, VPNs Internet Authentication Server
Plan + •Wipe Out Attack Classes
• example
Execute Internet

Redundant Routers

Redundant Firewalls

NIC teams/switches

Control Zone
Control Zone Control Zone Control Zone

Outbound Proxy Zone

ExtranetData Presentation Inbound
Network – Proxy
Control Zone
Control Zone Control Zone
SQL Zone
Control

Application Servers

Control Zone Control Zone Control Zone Control Zone

Data Network – SQL Infrastructure Network Messaging Network – Exchange Messaging Network – Exchange
Server Clusters – Internal Active Directory FE BE

Control Zone Control Zone Control Zone Control Zone

Client Networks 1…n RADIUS Network Intranet Network - Web Servers

Management Network – MOM,
deployment
Plan + •Wipe Out Attack Classes
• NAP and Domain
Execute I
•NAP (will) and Domain Isolation (has) become the
standard which new systems roll out to

X


X
Infrastructure Security

ForeFront Security
Capabilities
•Understand The Risks
•Define the Strategy

How Much Risk can we tolerate ?

Does it aggregate ?
Outsource the risk to others Transformation required
Buy managed services To prevent re-occurence
Hire Consultants (outsource Should Wipe out Class of
blame) risk

Quantify Risk and impact

Decommission/Transition
Allow long term “project” to
fix it
.Low enough risk/cost ratio to
 Previous Current H2 2006 2007+

Client

Server

Edge TBD
TBD
Its about securing the workload

Simple malware at client or server base

insufficient
Multiple malware vendors scanning traffic
inside data repository, need engines per
repository
For mail, do it at edge and cloud, but other
protocols are attacked internally, so
protection should be internal
 Workload Malware Approach
Antigen

IM and
Documents
Live
Communications
Server
Antigen

EHS

SharePoint
Server
E- ISA
Server
mail
Exchange Hosted Antigen
Services Antigen

Exchange Front End

Servers

Exchange & BES

Servers
Malware Engines across
Products
Plan + •The Training and Feelings of
IT
Execute
Admin Training is Key – Users can be
useful to IT
•Admins– (like pets ) can Help
You – If you train them
•Work with your new IT to let
them understand your
architecture and why
•Security Policy should be open
to be evolved, and should be
enforced and challenged to
application paradigms
•Application and Infrastructure
admins should treat security and
FW admins as peers
Be Sensitive to Jobs and Roles, re-skilling is pain