Re: secure sharepoint 2010 design

[Paul Johnston <paul.johnston () pentest co uk>]

Hi,

> I'm worried about browser exploits calling home and giving remote
> shell to outsiders.

Internal firewalling does nothing to prevent that. Smart exploits will
pretty much always be able to call home, either through DNS, picking up
proxy settings from a browser, or actually through the browser.

The firewall does reduce what a compromised system can access. Of
course, it can access anything that the user needs to do their job,
which may be significant (say, if the user is a cashier). What it stops
(hopefully :-) is a hacker using an exploit to get more access than that.

I'm not sure how important that is these days though - if your patching
is up-to-date, remote compromise exploits are rare. And even with the
firewall in place, if the hacker has a remote compromise exploit, they
could target it against other workstations. Although, with the "IPsec
everywhere" approach they can't do that. In fact, simpler than IPsec, if
workstations had their host firewall enabled, with an exception for
specific management networks that contain things like the domain
controllers, that would prevent this.

I'm not against internal firewalling, just pointing out that the
benefits might not be as clear-cut as you'd think.

> > Depending on what your company does, other actions may be appropriate.
> > If you have extensive web operations, it may be better to focus on your
> > SLDC. If you handle lots of confidential information, DLP may be a
> > higher priority. Most organisations are well behind with patching; this
> > may be more important to you.

Did you think about other approaches you could take to boost security?

> we would create specific rules for those workstations to only have
> access to the systems and ports they need.
> yes that opens a little hole, but it's still better than leaving it wide open.

Fair 'nuff. The only realistic alternative is to have separate
workstations for administration, perhaps VPNing over the main
workstation network. While this would be fab for security, I've never
seen it implemented.

> I was thinking about making this a separate project instead of trying
> to piggyback it with the sharepoint project.

I think that's the best way. As for no-one wanting to touch it... surely
that would be a good thing for a firewall :-)

>  we just had a company near us get hit with a major
> worm and it caused them lots and lots of damages and changed the way
> they do things internally.

You can include the incident that happened at the nearby company in your
risk assessment. Concrete incidents are always more persuasive than "in
theory if..." arguments.

But think carefully about what controls would have helped with this (I
know it's tough without all the details). For example, NAC and disabling
USB ports may have prevented the outbreak - while internal firewalls
would just limit its scope.

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------