Making reference to the truly Olympic distances between buildings here at the Georgia World Congress Center in Atlanta, Rick Taylor began his TechEd session on The 10 Immutable Laws of Microsoft SharePoint Security by saying, "Welcome everyone … to the second day of walking halfway to Savannah. Most of us in the IT business sit at desks all day, so I guess this is just karma." Rick, formerly of Microsoft (where he worked on BPOS), is a Senior Technical Architect at Perficient, and he's a great speaker. With an easy confidence, Rick is both funny and engaging, and I highly recommend checking out his sessions should you have an opportunity, either here at TechEd or at an upcoming conference.
Rick noted at the outset that "The more we share, the less secure we are; the more secure we are, the less we can collaborate … where is the happy medium? Because it's different for every enterprise." With an agenda focusing on the OSI model ("I don't only use the OSI model for security, I use the OSI model to troubleshoot problems … I start at the bottom and work my way up [the stack]"), attack surfaces ("Where are the bad guys going to go to attack"), and best practices for securing each layer ("How to prevent the attack"), Rick's session was packed with valuable information.
Speaking of the OSI model, Rick referred to it as the "layer of communication that happens when one computer talks to another … each layer has sub-layers, and if one layer is attacked, all layers can be affected." In a very real sense, as a result, "the lower you are, the more power you've got" since attacking even the lowest layer can wreak havoc all the way up the stack.
Layer one defines the physical and electrical specifications of a device (typically cables), and defines the relationship between a device and its medium. Layer one attack surfaces include the medium (cable or over-the-air, i.e. wireless), and the host (via keyboard or conduit). Securing layer one involves employing locks ("Don't walk away from your laptop without locking it") and cages.
Layer two is how data is transferred from node to node across a network, and includes sub-layers (Media Access Control, Logical Link Control, Application Protocol Convergence) and Protocols (ARP, PPP). Layer two attack surfaces include wireless access points (wardriving), hubs (broadcasting), and switches, via man-in-the-middle attacks ("If I can alter or interrupt the information, you've got a problem"). Securing layer two involves strong passwords on wireless routers ("If you're going to put wireless on there, put a network password on there"), strong encryption on wireless networks, ARP Defense software/hardware, and DHCP snooping.
Layer three performs network routing functions, and includes three sub-layers (subnetwork access, subnetwork dependent coverage, and subnetwork independent coverage), protocols (IP), and Services (ICMP). Level three attack surfaces include unused open ports, commonly open ports, and packet inspection. Securing layer three involve the prevention of ICMP abuse, the use of IPSEC, and the use of Network Policy Processing.
Layer four is responsible for reliable communication between endpoints, and involves protocols (connection-oriented with TCP and connectionless with UDP). The level four attack surface is the operating system, via OS Fingerprinting. Securing level four involves the use of routers between network segments, private IP addresses on the internal network, SSL, PEN testing of your network, enabling "fingerprint scrubbing" on routers, and more.
Layer five is responsible for connections between hosts, and involves protocols (RPC). Layer five attack surfaces include session hijacking, DNS Poisoning, and DDos. Securing level five involves choosing your authentication protocols wisely and the correct configuration of DNS.
Layer six is responsible for representing data in different formats, and the serialization of objects to and from XML. Layer six attack surfaces include NetBIOS ("Do not disable NetBIOS over TCP"), SMB, and IPC$. Securing level six involves the locking down of Null Session capability.
Layer seven is the top layer of the OSI model and interfaces directly with applications and their processes. Layer seven attack surfaces include DNS, FTP, SMTP, Telnet, SQL, etc. Securing level seven involves using GPO policies, using NAP to enforce access policies, using IPSec to secure host to host and host to server communications, and following best practices for securing service accounts.
In conclusion, Rick referred back to his opening remark about the need to find the "happy medium" for your organization between security and collaboration, stating that "once you find out what your happy medium is, enforce it."
Rick threaded them throughout his presentation, but I like to save the best for last so, without further ado, here are…
The 10 Immutable Laws of Microsoft SharePoint Security
- If a bad guy has unrestricted physical access your computer, it's not your computer anymore.
- If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
- If a bad guy can view your conversation, you have just invited him to tell everyone.
- If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- If you allow a bad guy to upload programs to your website r network or if your network listens to someone else besides you, it's not your network anymore.
- Absolute anonymity isn't practical, in real life or on the Web.
- Weak passwords trump strong security.
- A computer is only as secure as the administrator is trustworthy.
- Your infrastructure is only as strong as your weakest link
- Technology is not a panacea, or, as Rick reinforced, "Technology is not the silver bullet for all things, especially in security."
Read our complete coverage of Microsoft TechEd North America 2011:
- 'Applying Branding from an Existing Website to Microsoft SharePoint 2010' with Jon Flanders
- 'Creating Self-Service Analytic BI Applications with Microsoft SharePoint 2010' with Peter Myers
- 'The 10 Immutable Laws of Microsoft SharePoint Security' with Rick Taylor
- 'Integrating Microsoft SharePoint 2010 and Microsoft Dynamics CRM Online' with Girish Raja
- Daniel Benson & Mark Stone on 'Creating Great End User Experiences with Fast Search for SharePoint 2010'
- 'Claims Identity in Microsoft SharePoint 2010' with Paul Schaeflein
- Chris Mayo on 'Developing Collaboration Solutions in the Cloud with Microsoft SharePoint Online'
- 'Creating Custom SharePoint Service Applications 101' with Todd Bleeker
- Aftab Alam & Chris Hopkins on 'IT-Centric Dashboards in Minutes with Microsoft SharePoint 2010 Using Microsoft Visio/Visio Services'
- 'Plan and Deploy My Site for Microsoft SharePoint Server' with Chris Gideon