22
DePaul University DePaul Information Security
DePaul University
DePaul Information Security
Today Microsoft Baseline Security Analyzer
(MBSA) Using Internet Explorer securely Email Privacy and File Integrity
Using email encryption Spam
Outline What is MBSA? How to get it? Installation Features Demonstration
Securing Windows Systems1. Operating System Updates
2. Use a Host Based Firewall
3. Account and Password Security
4. File Sharing
5. Microsoft Applications
What is MBSA? Created for Microsoft Systems specifically Tool to make Windows based systems and server
applications more secure. MBSA points out known flaws which are not fixed
on the tested system Shows ways to patch security holes Explains correct security guidelines Current version MBSA 2.0 Presents a security snapshot
How to get it? Microsoft Web Site
http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
Search on Google Microsoft Baseline Security Analyzer
Installation Wizard for easy installation
Features Graphical User Interface (GUI) options Scan local computer Scan for common administrative
vulnerabilities Scan for missing security updates against the
Microsoft Update catalog Creates reports in MBSA
Supports Checks for common administrative
vulnerabilities for: Windows 2000, XP, 2003 Windows Server 2003 IIS 5.0, 6.0 SQL Server 7.0, 2000 IE 5.01+ Office 2000, XP, 2003
Scans for common vulnerabilities
Is Windows Firewall enabled? Are Automatic Updates enabled? Are strong passwords enforced? Are unsecured Guest accounts enabled?
MBSA Demonstration
Pretty Good Privacy - PGP What is pgp and why use it Cryptography Key Pairs Using PGP software
Exporting, Importing and Backing up Keys Public Key Servers Encrypt/Decrypt Mail Encrypt/Decrypt Files Symmetric (secret or conventional) encryption
Demonstration
Encryption Software What is PGP
Originally Authored by Philip Zimmermann in 1991 Strong encryption software De-facto standard for email encryption today
Originally free software now owned by Network Associates – www.pgp.com
In 1997, OpenPGP working group formed to develop an open non-proprietary standard for PGP
GnuPG is completely free and compliant with OpenPGP Email should not be considered private PGP Allows for privacy and integrity
Cryptography Communicating in or deciphering secret writings or ciphers
Cipher Text Unreadable information – jumbled data
Encryption Process of scrambling information converting ordinary plaintext information to
cipher test
Decryption Recovering the plaintext back from the cipher text
Public Key cryptography (asymmetric) Encryption and Decryption are performed using different keys
Secret Key cryptography (symmetric) Same key is used for encryption and decryption
How does it work? Two Keys needed – Public and Private
To send someone mail or verify their signature, you need to know their public key
Using a public key, you encode or “encrypt” a chunk of data (file or email message)
Using a private key, you decode or “decrypt” the data to read the file or email
How does it work?
Generating PGP keys The software will generate a public/private
key pair You specify the size of the key (1024, 2048
bits) Need to provide a password to protect your
key
Public Key – 2048 bits-----BEGIN PGP PUBLIC KEY BLOCK-----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQGiBERx5hsRBADsidrkWqSRLKM3VS2wZf74X5JwSrOJzJmBNWATdU/CNxC5Ip9md9NsNGEKeaX81FGs4JDUhqbuXSG8F939B0nN4M4jmiySlgHm/9NbQoMAHx4W0a71wN05f2UFxWrIsMSBOEWTAsEh3WJ5IcWklohLCnHQjatdeZdoUgL5/4uLzwCg/xLUsoKchra6xS5mZju+5wkZa4EEAIqKyXJPfOmQ3+dfaTEJiJASs3MCrDWOcfU4LsE9jeJKu8bc2Y9NyaJm/GFGRofa8pPf9C0rmTP1pX9enhq0OYUvspulmQjFDvVyiYrGIxy6au6mFZL4R4/Q306lpqpqTmwi6DEQx0fkwrUrhlj5v04Tofd2U1VYLPvYGXjyRYecA/9xWPmGX+Dca4EAngMyZ1y0GzJnR59bvgtc2eNX0fqesQTrU+coF2gBCdxPCZNtEXyZiEZQ7o8tGEQ5GrvKZM+/W4wAlY0P72GuGhuz1q4+e5NrI7wOGjMd9EXURTwSlq3qdmv5N/uGmePQ0wj8Eri0cqZjEP3MHhPoKht60BuB2LQWdGVzdCA8dGVzdEBkZXBhdWwuZWR1PokATgQQEQIADgUCRHHmGwQLAwIBAhkBAAoJEMY+hoiF0arfhmAAoL8H0JVdJ9X5CiTMikOyYK9AcbgMAJ4zZhwt22z3Z9CdmmM4KmIOnKc63bkCDQREceYbEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAyxVy81TbGHYNV9Mfh5Dfi9Iuvsva8BiGrJFpY0jhfWfDlmGPEtqLZ6YzI++uAXQfuk2xLQsICy9RFflvtmeTNei8k/2f6l89Pw4Dh+fI5WzMMuXUGW8g7hvSoQ878ffoFL8mQAMD9xntURVFLhne8364qWTf1JSk0ftdMj0SyK2rXn+3JQPMB0R6x8DW4gM56cLKf09GyWlUqmAn/EXtc9iUL6WfWYywhlJ+VBG22EKnJp+gHY6ib8swmiRK/LvCfY7fNgKAVyJj9M8F0/axm0H99bpX3JD36SkfrrUKXacfPJUvJR0ulXwr58PGMvhK04nxXQaMetqqPO/uRLLNIokARgQYEQIABgUCRHHmGwAKCRDGPoaIhdGq33HdAJ9VXtpQKmnI6RBZ3O6f31fqVMI03wCgxMkE2HsZ7+RKieDGNCsH3KFJof0==oMO0-----END PGP PUBLIC KEY BLOCK-----
Encrypted Text Plain text
Hello world
Encrypt with public key
Cipher text
-----BEGIN PGP MESSAGE-----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>qANQR1DBwU4DSTJMC1F2PksQB/0bmezbfmj/1NUYt5qM8TbOOl7uZH8wYNrsVFnFALv+wwdYFTMhT/DBoSWwnizkY31k0bTei57EjlNjg4z9mqgabm4OCj1s0O3GVQDPtIafYzDmdOrojgZ2jrszExFARL47ygXZA5qnDxoI3W5RiSbn5iQpp66wucJETAeycGQ6dTsnySTtmV9uB/tMyAPPnPQ+FP+Hd1bpBP000R+ySteLHjEKjMV752k==ScLD-----END PGP MESSAGE-----
Decrypt with private key
Plain text Hello World
Getting encryption applications PGP
Commercial applications http://www.pgp.com/
GnuPG Complete and Free implementation http://www.gnupg.org/ For Windows use gpg4win – www.gpg4win.org
Using GnuPG software Exporting, Importing and Backing up keys
text or ASCII file BACKUP, I said BACKUP your keys
Public Key Servers http://www.keyserver.net/en http://pgp.mit.edu/
Encrypting Email and Files Using Symmetric Encryption Demonstration
The End …
Questions
