DePaul University

DePaul Information Security

Today Microsoft Baseline Security Analyzer

(MBSA) Using Internet Explorer securely Email Privacy and File Integrity

Using email encryption Spam

Outline What is MBSA? How to get it? Installation Features Demonstration

Securing Windows Systems1. Operating System Updates

2. Use a Host Based Firewall

3. Account and Password Security

4. File Sharing

5. Microsoft Applications

What is MBSA? Created for Microsoft Systems specifically Tool to make Windows based systems and server

applications more secure. MBSA points out known flaws which are not fixed

on the tested system Shows ways to patch security holes Explains correct security guidelines Current version MBSA 2.0 Presents a security snapshot

How to get it? Microsoft Web Site

http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

Search on Google Microsoft Baseline Security Analyzer

Installation Wizard for easy installation

Features Graphical User Interface (GUI) options Scan local computer Scan for common administrative

vulnerabilities Scan for missing security updates against the

Microsoft Update catalog Creates reports in MBSA

Supports Checks for common administrative

vulnerabilities for: Windows 2000, XP, 2003 Windows Server 2003 IIS 5.0, 6.0 SQL Server 7.0, 2000 IE 5.01+ Office 2000, XP, 2003

Scans for common vulnerabilities

Is Windows Firewall enabled? Are Automatic Updates enabled? Are strong passwords enforced? Are unsecured Guest accounts enabled?

MBSA Demonstration

Pretty Good Privacy - PGP What is pgp and why use it Cryptography Key Pairs Using PGP software

Exporting, Importing and Backing up Keys Public Key Servers Encrypt/Decrypt Mail Encrypt/Decrypt Files Symmetric (secret or conventional) encryption

Demonstration

Encryption Software What is PGP

Originally Authored by Philip Zimmermann in 1991 Strong encryption software De-facto standard for email encryption today

Originally free software now owned by Network Associates – www.pgp.com

In 1997, OpenPGP working group formed to develop an open non-proprietary standard for PGP

GnuPG is completely free and compliant with OpenPGP Email should not be considered private PGP Allows for privacy and integrity

Cryptography Communicating in or deciphering secret writings or ciphers

Cipher Text Unreadable information – jumbled data

Encryption Process of scrambling information converting ordinary plaintext information to

cipher test

Decryption Recovering the plaintext back from the cipher text

Public Key cryptography (asymmetric) Encryption and Decryption are performed using different keys

Secret Key cryptography (symmetric) Same key is used for encryption and decryption

How does it work? Two Keys needed – Public and Private

To send someone mail or verify their signature, you need to know their public key

Using a public key, you encode or “encrypt” a chunk of data (file or email message)

Using a private key, you decode or “decrypt” the data to read the file or email

How does it work?

Generating PGP keys The software will generate a public/private

key pair You specify the size of the key (1024, 2048

bits) Need to provide a password to protect your

key

Public Key – 2048 bits-----BEGIN PGP PUBLIC KEY BLOCK-----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

mQGiBERx5hsRBADsidrkWqSRLKM3VS2wZf74X5JwSrOJzJmBNWATdU/CNxC5Ip9md9NsNGEKeaX81FGs4JDUhqbuXSG8F939B0nN4M4jmiySlgHm/9NbQoMAHx4W0a71wN05f2UFxWrIsMSBOEWTAsEh3WJ5IcWklohLCnHQjatdeZdoUgL5/4uLzwCg/xLUsoKchra6xS5mZju+5wkZa4EEAIqKyXJPfOmQ3+dfaTEJiJASs3MCrDWOcfU4LsE9jeJKu8bc2Y9NyaJm/GFGRofa8pPf9C0rmTP1pX9enhq0OYUvspulmQjFDvVyiYrGIxy6au6mFZL4R4/Q306lpqpqTmwi6DEQx0fkwrUrhlj5v04Tofd2U1VYLPvYGXjyRYecA/9xWPmGX+Dca4EAngMyZ1y0GzJnR59bvgtc2eNX0fqesQTrU+coF2gBCdxPCZNtEXyZiEZQ7o8tGEQ5GrvKZM+/W4wAlY0P72GuGhuz1q4+e5NrI7wOGjMd9EXURTwSlq3qdmv5N/uGmePQ0wj8Eri0cqZjEP3MHhPoKht60BuB2LQWdGVzdCA8dGVzdEBkZXBhdWwuZWR1PokATgQQEQIADgUCRHHmGwQLAwIBAhkBAAoJEMY+hoiF0arfhmAAoL8H0JVdJ9X5CiTMikOyYK9AcbgMAJ4zZhwt22z3Z9CdmmM4KmIOnKc63bkCDQREceYbEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAyxVy81TbGHYNV9Mfh5Dfi9Iuvsva8BiGrJFpY0jhfWfDlmGPEtqLZ6YzI++uAXQfuk2xLQsICy9RFflvtmeTNei8k/2f6l89Pw4Dh+fI5WzMMuXUGW8g7hvSoQ878ffoFL8mQAMD9xntURVFLhne8364qWTf1JSk0ftdMj0SyK2rXn+3JQPMB0R6x8DW4gM56cLKf09GyWlUqmAn/EXtc9iUL6WfWYywhlJ+VBG22EKnJp+gHY6ib8swmiRK/LvCfY7fNgKAVyJj9M8F0/axm0H99bpX3JD36SkfrrUKXacfPJUvJR0ulXwr58PGMvhK04nxXQaMetqqPO/uRLLNIokARgQYEQIABgUCRHHmGwAKCRDGPoaIhdGq33HdAJ9VXtpQKmnI6RBZ3O6f31fqVMI03wCgxMkE2HsZ7+RKieDGNCsH3KFJof0==oMO0-----END PGP PUBLIC KEY BLOCK-----

Encrypted Text Plain text

Hello world

Encrypt with public key

Cipher text

-----BEGIN PGP MESSAGE-----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>qANQR1DBwU4DSTJMC1F2PksQB/0bmezbfmj/1NUYt5qM8TbOOl7uZH8wYNrsVFnFALv+wwdYFTMhT/DBoSWwnizkY31k0bTei57EjlNjg4z9mqgabm4OCj1s0O3GVQDPtIafYzDmdOrojgZ2jrszExFARL47ygXZA5qnDxoI3W5RiSbn5iQpp66wucJETAeycGQ6dTsnySTtmV9uB/tMyAPPnPQ+FP+Hd1bpBP000R+ySteLHjEKjMV752k==ScLD-----END PGP MESSAGE-----

Decrypt with private key

Plain text Hello World

Getting encryption applications PGP

Commercial applications http://www.pgp.com/

GnuPG Complete and Free implementation http://www.gnupg.org/ For Windows use gpg4win – www.gpg4win.org

Using GnuPG software Exporting, Importing and Backing up keys

text or ASCII file BACKUP, I said BACKUP your keys

Public Key Servers http://www.keyserver.net/en http://pgp.mit.edu/

Encrypting Email and Files Using Symmetric Encryption Demonstration

The End …

Questions